[Federal Register Volume 66, Number 170 (Friday, August 31, 2001)]
[Proposed Rules]
[Pages 46162-46195]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 01-21810]



[[Page 46161]]

-----------------------------------------------------------------------

Part V





Environmental Protection Agency





-----------------------------------------------------------------------



40 CFR Parts 3, 51, et al.



Establishment of Electronic Reporting: Electronic Records; Proposed 
Rule

  Federal Register / Vol. 66, No. 170 / Friday, August 31, 2001 / 
Proposed Rules  

[[Page 46162]]


-----------------------------------------------------------------------

ENVIRONMENTAL PROTECTION AGENCY

40 CFR Parts 3, 51, 60, 63, 70, 123, 142, 145, 162, 233, 257, 258, 
271, 281, 403, 501, 745 and 763

[FRL-7045-5]
RIN 2025-AA07


Establishment of Electronic Reporting; Electronic Records

AGENCY: Environmental Protection Agency.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: EPA is proposing to allow electronic reporting to EPA by 
permitting the use of electronic document receiving systems to receive 
electronic documents in satisfaction of certain document submission 
requirements in EPA's regulations. The proposal also sets forth the 
conditions under which EPA will allow an electronic record to satisfy 
federal environmental recordkeeping requirements in EPA's regulations. 
In addition, under today's proposal, States and tribes will be able to 
seek EPA approval to accept electronic documents or allow the 
maintenance of electronic records to satisfy reporting and 
recordkeeping requirements under authorized or delegated environmental 
programs that they administer. The proposal includes criteria against 
which a State's or tribe's electronic document receiving system will be 
evaluated before EPA can approve changes to the authorized program to 
allow electronic reporting. Similarly, the proposal includes criteria 
against which EPA will evaluate a State's or tribe's provisions for 
electronic recordkeeping.
    Under today's proposal, electronic document submission or 
electronic recordkeeping will be totally voluntary; EPA will not 
require the submission of electronic documents or maintenance of 
electronic records in lieu of paper documents or records. EPA will only 
begin to accept direct submission of an electronic document once EPA 
has provided public notice that its electronic document receiving 
system is prepared to receive the document in electronic form. 
Similarly, EPA will only begin to allow electronic records to satisfy a 
specific EPA recordkeeping requirement once EPA has provided public 
notice stating that electronic records will satisfy the identified 
requirement.

DATES: In order to be considered, comments must be received on or 
before November 29, 2001. Comments provided electronically will be 
considered timely if they are submitted by 11:59 p.m. (Eastern time) 
November 29, 2001.

ADDRESSES: Comments should be addressed to the United States 
Environmental Protection Agency, Enforcement and Compliance Docket and 
Information Center, (Mail Code 2201A), Attn: Docket Number EC-2000-007, 
1200 Pennsylvania Avenue NW., Washington, DC, 20460. Commenters are 
also requested to submit an original and 3 copies of their written 
comments as well as an original and 3 copies of any attachments, 
enclosures, or other documents referenced in the comments. Commenters 
who would like EPA to acknowledge receipt of their comments should 
include a self-addressed, stamped envelope. All comments must be 
postmarked or delivered by hand by November 29, 2001. No facsimiles 
(faxes) will be accepted. Public comments and supporting materials are 
available for viewing in the Enforcement and Compliance Docket and 
Information Center, located at 1200 Pennsylvania Avenue, NW., (Ariel 
Rios Building), 2nd Floor, Room 2213, Washington, DC 20460. The 
documents are available for viewing from 9 a.m. to 4 p.m., Monday 
through Friday, excluding federal holidays. To review docket materials, 
it is recommended that the public make an appointment by calling (202) 
564-2614 or (202) 564-2119. The public may copy a maximum of 266 pages 
from any regulatory document at no cost. Additional copies cost $0.15 
per page. The rule and some supporting materials are also available 
electronically on the Internet for public review, using a www browser 
type, at http://www.epa.gov/.
    EPA will also accept comments electronically. Comments should be 
addressed to the following Internet address: [email protected]. 
Electronic comments must be submitted as an ASCII, WordPerfect 5.1/6.1/
8 format file and avoid the use of special characters or any form of 
encryption. Comments in electronic format should also be identified by 
the docket number EC-2000-007. Electronic comments will be transferred 
into a paper version for the official record. EPA will attempt to 
clarify electronic comments if there is an apparent error in 
transmission. Comments provided electronically will be considered 
timely if they are submitted electronically by 11:59 p.m. (Eastern 
time) November 29, 2001.

FOR FURTHER INFORMATION CONTACT: For general information on this 
proposed rule, contact the docket above. For more detailed information 
on specific aspects of this rulemaking, contact David Schwarz (2823), 
Office of Environmental Information, U.S. Environmental Protection 
Agency, 1200 Pennsylvania Avenue NW, Washington, DC 20460, (202) 260-
2710, [email protected], or Evi Huffer (2823), Office of 
Environmental Information, U.S. Environmental Protection Agency, 1200 
Pennsylvania Avenue NW., Washington, DC 20460, (202) 260-8791, 
[email protected].

SUPPLEMENTARY INFORMATION: Affected Entities. This rule will 
potentially affect State and local governments which have been 
authorized or which seek authorization to administer a federal 
environmental program under Title 40 of the Code of Federal 
Regulations. The rule will also potentially affect private parties 
subject to any requirements in Title 40 of the Code of Federal 
Regulations that a document be created, submitted, or retained. 
Affected Entities include:

------------------------------------------------------------------------
             Category                   Examples of affected entities
------------------------------------------------------------------------
Local government..................  Publicly Owned Treatment Works,
                                     owners and operators of treatment
                                     works treating domestic sewage,
                                     local and regional air boards,
                                     local and regional waste management
                                     authorities, municipal and other
                                     drinking water authorities.
Private...........................  Industry owners and operators, waste
                                     transporters, privately owned
                                     treatment works or other treatment
                                     works treating domestic sewage,
                                     privately owned water works, small
                                     businesses of various kinds,
                                     sponsors such as laboratories that
                                     submit or initiate/support studies,
                                     and testing facilities that both
                                     initiate and conducts studies.
State government..................  States or Tribes that manage any
                                     federal environmental programs
                                     authorized/approved by EPA under
                                     Title 40 of the Code of Federal
                                     Regulations.
Federal government................  Federally owned treatment works and
                                     industrial dischargers; federal
                                     facilities subject to hazardous
                                     waste regulation.
------------------------------------------------------------------------


[[Page 46163]]

    This table is not intended to be exhaustive, but rather provides a 
guide for readers regarding entities likely to be affected by this 
action. This table lists the types of entities that EPA is now aware 
can potentially be affected by this action. Other types of entities not 
listed in the table can also be affected. Note that while this proposal 
will affect entities involved with hazardous waste management, it does 
not apply to the Hazardous Waste Manifest, which EPA is addressing in a 
separate electronic reporting rule. If you have questions regarding the 
applicability of this action to a particular entity, consult the person 
listed in the preceding FOR FURTHER INFORMATION CONTACT section.
    Information in the preamble is organized as follows:

I. Overview
    A. Why does the Agency want to allow electronic reporting and 
record-keeping?
    B. What will the proposed regulations do?
II. Background
    A. What is EPA's current electronic reporting policy?
    B. How will today's proposal change EPA's current electronic 
reporting policy?
    C. Why is EPA proposing these changes in electronic reporting 
policy?
    D. What is EPA's approach to electronic record-keeping?
    E. What information is EPA seeking about electronic reporting 
and record-keeping proposals?
    F. How were stakeholders consulted in developing today's 
proposal?
III. Scope of Today's Proposal
    A. Who may submit electronic documents and maintain electronic 
records?
    B. How does today's proposal relate to the new E-SIGN 
legislation?
    C. Which documents can be filed electronically?
    D. Which records can be maintained electronically?
    E. How will today's proposal implement electronic reporting and 
record-keeping?
IV. The Requirements in Today's Proposal
    A. What are the proposed requirements for electronic reporting 
to EPA?
    B. What requirements must electronically maintained records 
satisfy?
    1. General approach.
    2. EPA's proposed criteria for electronic record-retention 
systems.
    3. Electronic records associated with electronic signatures.
    4. The relation of these requirements to Food and Drug 
Administration (FDA) criteria under 21 CFR part 11.
    5. Storage media issues.
    6. Additional options.
    C. What is the process that EPA will use to certify State 
systems as functionally equivalent to the CDX?
    D. What criteria are EPA proposing that State electronic report 
receiving systems must satisfy?
    1. General system-security requirements.
    2. Electronic signature method.
    3. Submitter registration process.
    4. Electronic signature/certification scenario.
    5. Transaction record.
    6. System archives.
    E. What are the costs and benefits associated with today's 
proposal?
V. The Central Data Exchange (CDX)
    A. What is EPA's concept of the CDX?
    B. What are the CDX building blocks?
    1. Public key infrastructure (PKI)-based digital signatures.
    2. The CDX registration process.
    3. The CDX architecture.
    4. Electronic data interchange (EDI) standards.
    5. The transaction environment.
VI. Regulatory Requirements
    A. Executive Order 12866
    B. Executive Order 13132
    C. Paperwork Reduction Act
    D. Regulatory Flexibility Act
    E. Unfunded Mandates Reform Act
    F. National Technology Transfer and Advancement Act
    G. Executive Order 13045
    H. Executive Order 13175
    I. Executive Order 13211 (Energy Effects)

I. Overview

A. Why Does the Agency Want To Allow Electronic Reporting and Record-
Keeping?

    More than ten years ago, EPA published a notice entitled: 
``Electronic Reporting at EPA: Policy on Electronic Reporting,'' (FRL-
3815-4) announcing the goal of making electronic reporting available 
under EPA regulatory programs. We gave as reasons for this goal our 
expectation that enabling the submission and storage of electronic 
documents in lieu of paper documents can:
     Reduce the cost for both sender and recipient,
     Improve data quality by automating quality control 
functions and eliminating rekeying, and
     Greatly improve the speed and ease with which the data can 
be accessed by all who needed to use it.
    Electronic reporting and record-keeping have a strong mandate in 
federal policy and law. As stated in the March, 1996, Reinventing 
Environmental Information Report, electronic reporting supports the 
President's overall regulatory re-invention goals of reducing the 
burden of compliance and streamlining regulatory reporting. In 
addition, the Government Paperwork Elimination Act (GPEA) of 1998, 
Public Law 105-277, requires that agencies be prepared to allow 
electronic reporting and recordkeeping under their regulatory programs 
by October 21, 2003. Given the enormous strides in data transfer and 
management technologies since 1990--particularly in connection with the 
Internet--replacing paper with electronic data transfer now promises 
increased productivity across almost all facets of business and 
government.

B. What Will the Proposed Regulations Do?

    The proposed rule will remove existing regulatory obstacles to 
electronic reporting and record-keeping across a broad spectrum of EPA 
programs, and establish requirements to assure that electronic 
documents and electronic records are--for all purposes--as valid and 
authentic as their paper counterparts. These proposed requirements will 
apply to regulated entities that choose to submit electronic documents 
and/or keep electronic records, and under today's proposal, the choice 
of using electronic rather than paper for future reports and records 
will remain purely voluntary. Today's proposal will not amend 
compliance requirements under existing regulations and statutes and 
will not affect whether a document must be created, submitted, or 
retained under the existing provisions of Title 40 of the Code of 
Federal Regulations. Similarly, today's proposal will not affect the 
period of required record-retention, whether the stored electronic 
document must be signed, who is entitled to receive copies of the 
record, the number of copies that must be maintained, or any other 
requirements imposed by the underlying EPA, State, tribal or local 
program regulations. Public access to environmental compliance 
information will not be adversely affected by today's proposal. 
Electronic reporting and record-keeping provisions in this proposal 
will provide for continued public access to electronic documents 
equivalent to that provided for paper records under existing law.
    For purposes of this proposal, EPA is using the term ``electronic 
reporting'' in a sense that excludes submission of a report via 
magnetic media, for example via diskette, compact disk, or tape; we are 
also excluding transmission via hard copy facsimile or ``fax''. 
Likewise, our use of the term ``electronic document'' throughout this 
Notice refers exclusively to documents that are transmitted via a 
telecommunications network, excluding hard copy facsimile. However, 
this proposal's exclusion of magnetic media submissions in no way 
indicates EPA's rejection of this technology as a valid approach to 
paperless reporting; we believe that in many cases magnetic media 
submission fulfills the goals of the Government Paperwork Elimination 
Act (GPEA). Many EPA programs have successfully used magnetic media 
submissions to implement their regulatory reporting,

[[Page 46164]]

including Hazardous Waste, Toxic Release Inventory, and Pesticide 
Registration. EPA expects these magnetic media approaches to paperless 
reporting to continue, and nothing in today's proposal should be 
understood to proscribe them.
    For regulated entities that choose to submit electronic documents 
directly to EPA, today's proposal will require that these documents be 
submitted to a centralized Agency-wide electronic document receiving 
system, called the `Central Data Exchange' (CDX), or to alternative 
systems designated by the Administrator. Regulated entities that wish 
to submit electronic documents directly to EPA will satisfy the 
requirements in today's proposal by successfully submitting their 
reports to the CDX. While we do not intend to codify any of the details 
of how CDX operates or how it is constructed, EPA does solicit comments 
on the characteristics of the CDX and the submission scenarios 
described in this preamble. In addition, the CDX design specifications 
will be included as a part of this rulemaking docket. For regulated 
entities that choose to keep records electronically, today's proposal 
requires the adoption of best practices for electronic records 
management. Importantly, today's proposal will not authorize the 
conversion of existing paper documents to an electronic format for 
record-retention purposes because no mechanism currently exists that 
can be relied upon in all cases to preserve the forensic data in an 
existing paper document when it is converted to an electronic form. 
However, today's proposal does not prohibit such conversions at the 
Administrator's discretion on a case-by-case basis.
    Many facilities do not submit documents directly to EPA, but rather 
to States, tribes or local governments that are approved, authorized or 
delegated to administer a federal environmental program on EPA's behalf 
or to administer a state environmental program in lieu of the federal 
regulatory program in that State. We will refer to these as 
``authorized State and tribal programs.'' This proposal will allow for 
EPA approval of changes to authorized State and tribal programs to 
provide for electronic reporting, and EPA approval will be based 
largely on an assessment of the State's or tribe's ``electronic 
document receiving system'' that will be used to implement the 
electronic reporting provisions. For this purpose, today's proposal 
includes detailed criteria that EPA will use to determine that an 
electronic document receiving system is acceptable. These criteria 
address such issues as system security, the approach to electronic 
signature and certification, chain-of-custody and archiving, including 
provisions that address how a State, tribe or local government manages 
electronic records that are directly associated with its electronic 
document receiving system, as well as certain data transfers between 
this system and regulated entities. Beyond this, today's proposal does 
not address State, tribal or local government electronic recordkeeping 
or data transfers carried out to administer their authorized programs. 
Today's proposal does not address any data transfers between EPA and 
States or tribes as a part of administrative arrangements to share 
data. Finally, it is worth noting that EPA can approve changes to 
authorized State or tribal programs that involve the use of CDX to 
receive data submissions from their regulated communities. CDX has been 
designed with the goal of fully satisfying the criteria that this 
proposal specifies for assessing State or tribal electronic document 
receiving systems; similarly, EPA will ensure that other systems the 
Administrator designates to receive electronic submissions will satisfy 
the criteria as well. In view of this, EPA is exploring opportunities 
to leverage CDX resources for use by States, tribes and local 
environmental agencies.
    Similarly, many facilities maintain records to satisfy the 
requirements of authorized State and tribal programs. This proposal 
will also allow for EPA approval of changes to authorized State and 
tribal programs to provide for electronic record-keeping. EPA approval 
in this case will be based on a determination that the State's or 
tribe's program will require best practices for electronic records 
management, corresponding to EPA's provisions for electronic records 
maintained to satisfy EPA recordkeeping requirements.
    For both document submission and record-keeping, the point of the 
proposed requirements is primarily to ensure that the authenticity and 
integrity of these documents and records are preserved as they are 
created, submitted, and/or maintained electronically, so that they 
continue to provide strong evidence of what was intended by the 
individuals who created and/or signed and certified them. Among other 
things, today's proposal is intended to ensure that the federal laws 
regarding the falsification of information submitted to the government 
still apply to any and all electronic transactions, and that fraudulent 
electronic submissions or record-keeping can be prosecuted to the 
fullest extent of the law. In establishing clear requirements for 
electronic reporting systems and electronic records, this proposed rule 
will help to minimize fraud by assuring that the responsible 
individuals can be readily identified.
    While today's proposal will remove regulatory obstacles to 
electronic reporting and record-keeping, EPA will make electronic 
submission available as an option for specific reports or other 
documents only as the systems become available to receive them. 
Similarly, EPA will make electronic recordkeeping available as an 
option for specific record-keeping requirements only as programs become 
ready to adopt this change. In the case of electronic reporting, EPA 
plans to move aggressively toward implementation of CDX for high volume 
environmental reports submitted directly to EPA. EPA will publish 
announcements in the Federal Register as CDX and other systems become 
available for particular environmental reports and as programs become 
ready to make electronic recordkeeping an option. These points are 
discussed in more detail in Section III.C and D of this Preamble. To 
implement electronic reporting and recordkeeping under authorized State 
and tribal programs, EPA also plans to work with interested States and 
tribes to approve the necessary program changes as quickly and 
expeditiously as possible.

II. Background

A. What Is EPA's Current Electronic Reporting Policy?

    On September 4, 1996, EPA published a document entitled ``Notice of 
Agency's General Policy for Accepting Filing of Environmental Reports 
via Electronic Data Interchange (EDI)'' (61 FR 46684) (hereinafter 
referred to as ``the 1996 Policy''), where ``EDI'' generally refers to 
the transmission, in a standard syntax, of unambiguous information 
between computers of organizations that may be completely external to 
each other (61 FR at 46685). This notice announced our basic policy for 
accepting electronically submitted environmental reports, and its scope 
was intended to include any regulatory, compliance, or informational 
(voluntary) reporting to EPA via EDI.
    In the context of EDI, the ``syntax'' of the computer-to-computer 
transmissions may be thought of as the structure or format of the 
transmitted data files. And, ``format'' here refers to such things as 
the ordering and labeling of the individual elements of data, the 
symbol used to separate elements, the way that related elements are 
grouped together, and so on. For example, for a file consisting of 
people's names, a simple

[[Page 46165]]

format specification might be that (i) the elements occur in order: 
first-name, middle-name, last-name; (ii) the elements are labeled, 
respectively, ``F'', ``M'', and ``L''; (iii) each group of first, 
middle and last names is separated by a semi-colon; and (iv) there is a 
comma between any two elements in a group.
    For purposes of the 1996 policy, the standard transmission formats 
used by EPA were to be based on the EDI standards developed and 
maintained by the American National Standards Institute (ANSI) 
Accredited Standards Committee (ASC) X12. By linking our approach to 
the ANSI X12 standards, we hoped to take advantage of the robust ANSI-
based EDI infrastructure already in place for commercial transactions, 
including a wide array of commercial off-the-shelf (COTS) software 
packages and communications network services, and a growing industry 
community of EDI experts available both to EPA and to the regulated 
community. At the time EPA was writing this policy, ANSI-based EDI was 
arguably the dominant mode of electronic commerce across almost all 
business sectors, from aerospace to wood products, at least in the 
United States. EDI was also widely used in the Federal Government, most 
notably at the Department of Defense, but also, increasingly, at other 
agencies, including the Social Security Administration, the General 
Services Administration, the Department of Transportation, the Health 
Care and Finance Administration, and the Department of Housing and 
Urban Development, and the Department of Health and Human Services.
    However, as the 1996 policy made clear, no specific EPA reporting 
requirement can be satisfied via EDI until the Agency develops the 
corresponding program-specific implementation guidance (61 FR 46686). 
This guidance generally needs to do at least three things. First, it 
needs to address such procedural matters as the interactions with the 
communications network (for EDI purposes, usually stipulated as a 
controlled-access, ``value-added network'' or ``VAN''), schedule for 
submissions and acknowledgments, transaction records to be maintained, 
and so on. Second, it needs to stipulate the specific ANSI X12 standard 
transmission formats--referred to as ``transaction sets''--to be used 
for the specified reports. This stipulation is essential, since ANSI 
provides hundreds of different transaction sets, each corresponding to 
a distinct type of commercial document, e.g. invoices, purchase orders, 
shipping notices, product specifications, reports of test results, and 
so on. Third, the guidance also needs to say how the stipulated 
transactions sets are to be interpreted. X12 transaction sets are 
generally designed to be somewhat generic--they typically leave a 
number of their components as ``optional'', and use data-element 
specifications that are open to multiple interpretations. (For a more 
detailed explanation of EDI and these implementation guidance 
documents, see section V.B.4 of this preamble.)
    Given a public notice that the applicable implementation guidance 
is ready, the September, 1996, policy allows facilities to submit 
required reports electronically using EDI once they enter into a Terms 
and Conditions Agreement (TCA) with the Agency (61 FR 46685). Where the 
report in question requires a responsible individual at a facility to 
certify to the truthfulness of the submitted data, the TCA must provide 
for the use of a Personal Identification Number (PIN) as a form of 
electronic signature. Under the policy, the individual entering into 
the TCA is required to use a PIN assigned by EPA for this purpose (61 
FR 46685). Finally, under the TCA, the facility is required to adhere 
to security and audit requirements as described in the notice (61 FR 
46687).
    Finally, the 1996 policy also explained that the various programs 
may require additional security procedures on a program-by-program 
basis (61 FR 46684). Such procedures may be covered in the program-
specific implementation guidance, or can be provided through rule-
making.

B. How Would Today's Proposal Change EPA's Current Electronic Reporting 
Policy?

    For practical purposes, the most important changes that today's 
proposal makes to current policy is in our technical approach to 
electronic reporting. Generally, we propose to greatly broaden the 
options available for electronic submission of data. For example, while 
we will continue to support data transfer via standards-based EDI (as 
explained in section V.B.4 of this preamble), we will also provide 
options involving user-friendly ``smart'' electronic forms to be filled 
out on-line, on the Internet, or downloaded for completion off-line at 
the user's personal computer. In addition, we propose to support data 
transfers through the Internet, via email, or via on-line interactions 
with Web sites, in a variety of common application-based formats, such 
as those output by spreadsheet packages. In terms of electronic 
signature technology, while we may continue to allow PIN-based 
approaches, our plan is to emphasize digital signatures based on 
``public key infrastructure'' (PKI) certificates, given the increasing 
support for--and acceptance of--PKI for commercial purposes. (For an 
explanation of PKI, see Section V.B.1 of this preamble.) And, we plan 
to consider and allow for other signature technologies as they become 
viable for our applications.
    This proposal also represents some important changes in EPA's 
regulatory strategy as well. To begin with, we are proposing to abandon 
any attempt to use regulations or formal policies to place technology-
specific or procedural requirements on regulated entities submitting 
electronic documents. In place of the technology-specific/procedural 
provisions, our regulation will require that electronic submissions be 
made to designated EPA systems, or to State, tribal or local government 
systems that are determined to satisfy a certain set of function-based 
criteria. Thus, as a rulemaking, today's proposal will govern 
electronic reporting by placing requirements on the systems that 
receive the electronic documents--rather than on the regulated entities 
submitting them--and by specifying these requirement in terms of 
technology-neutral functionality.
    This new regulatory strategy does not mean that we are proposing to 
abandon any control over how electronic documents are submitted. We are 
proposing instead to require the use of the ``Central Data Exchange'' 
(CDX) system or other EPA designated systems for submissions to EPA. 
While the rule may be technology-neutral, CDX itself will incorporate a 
suite of very specific technologies, including digital signatures based 
on ``public key infrastructure'' (PKI) certificates, described in 
detail below. In addition, while the rule itself will not require more 
than the use of CDX for electronic submissions to EPA, using CDX will--
as a practical matter--impose a very well-determined set of 
requirements on the reporting process for those who choose electronic 
submission instead of paper when reporting directly to EPA. Section V 
of this preamble will describe these requirements in some detail.
    These changes in strategy are significant. They represent a 
decision that the mechanics of electronically submitting data should 
not be reflected in specific regulatory provisions. In addition, these 
changes give EPA the flexibility to adapt our electronic reporting 
systems to evolving technologies without having to amend our 
regulations with each technological innovation. That is, CDX or other

[[Page 46166]]

designated systems can be changed as appropriate, so long as they 
continue to satisfy the function-based criteria that the rule 
establishes. In general, we believe that this strategy will enable EPA, 
the States and tribes to offer regulated companies a very user-friendly 
approach to electronic reporting that can be tailored to the level of 
automation they wish to achieve, and can incorporate improved 
technologies as they become available without the delay associated with 
rulemaking.

C. Why Is EPA Proposing These Changes in Electronic Reporting Policy?

    EPA is proposing these changes for three reasons. First, and most 
important, the technology environment has changed substantially since 
the September, 1996, policy was written. Web-based electronic commerce 
and Public Key Infrastructure (PKI) provide two obvious examples. While 
both were available and in use for some purposes in 1996, they had not 
yet achieved the level of acceptance and use that they enjoy today. We 
could not have anticipated in1996 that this evolution would occur as 
rapidly as it has. Clearly, these developments require that we extend 
our approach to electronic reporting beyond EDI and PINs. In addition, 
they teach us that it is generally unwise to base regulatory 
requirements on the existing information technology environment or on 
assumptions about the speed and direction of technological evolution.
    Second, we believe that technology-specific provisions would, of 
necessity, be very complex and unwieldy. The resulting regulation would 
likely place unacceptable burdens on regulated entities trying to 
understand and comply with it, and might also be difficult for EPA to 
administer and enforce.
    Third, and finally, an electronic reporting architecture that makes 
a centralized EPA, State or tribal system the platform for such 
functions as electronic signature/certification is now quite viable--
and quite consistent with the standard practices of Web-based 
electronic commerce. In many ways, regulated entities' electronic 
transactions with the ``Central Data Exchange'' (CDX) will be similar 
to doing business with an on-line travel agency, book store, or 
brokerage, and with a similar client-server architecture. Given the 
state of technology five years ago, we could not have considered this 
approach in the September, 1996, policy.

D. What Is EPA's Approach to Electronic Record-Keeping?

    Today's proposal sets forth the criteria under which the Agency 
considers electronic records to be trustworthy, reliable, and generally 
equivalent to paper records in satisfying regulatory requirements. The 
intended effect of this proposed rule is to permit use of electronic 
technologies in a manner that is consistent with EPA's overall mission 
and that preserves the integrity of the Agency's enforcement 
activities.

E. What Information Is EPA Seeking About Electronic Reporting and 
Record-Keeping Proposals?

    In proposing to allow regulated entities to submit electronic 
documents and maintain electronic records, EPA has, at least, the 
following three goals:
     To reduce the cost and burden of data transfer and 
maintenance for all parties to the data exchanges;
     To improve the data--and the various business processes 
associated with its use--in ways that may not be reflected directly in 
cost-reductions, e.g. through improvements in data quality, and the 
speed and convenience with which data may be transferred and used; and
     To maintain or improve the level of corporate and 
individual responsibility and accountability for electronic reports and 
records that currently exists in the paper environment.
    EPA is seeking comment and information on how well today's proposed 
regulatory provisions and the associated Central Data Exchange 
infrastructure will serve to fulfill these three goals. Concerning the 
first--addressing cost and burden--EPA is particularly interested in 
and seeks comment on whether today's proposal will make electronic 
reporting and record-keeping a practical and attractive option for 
smaller regulated entities, especially small businesses. Concerning the 
second--addressing the data and the associated business process--we are 
especially interested in comments on how our proposed approach to 
electronic reporting and record-keeping will affect third parties, for 
example State and local agencies that may collect and/or use the data 
in implementing EPA programs as well as members of the public who have 
an interest in the data as concerned citizens.
    Concerning our third goal, it is essential that we continue to 
ensure sufficient personal and corporate responsibility and 
accountability in the submission of electronic reports and the 
maintenance of electronic records; otherwise we place at risk the 
continuing viability of self-monitoring and self-reporting that 
provides the framework for compliance under most of our environmental 
programs. Therefore, EPA is especially interested in any concerns or 
issues that commenters may wish to raise about the effect that moving 
from paper to the electronic medium may have on this compliance 
structure--as well as assessments of the approaches EPA is proposing to 
address these concerns.

F. How Were Stakeholders Consulted in Developing Today's Proposal?

    Today's proposal reflects more than eight years of interaction with 
stakeholders--including State and local governments, industry groups, 
the legal community, environmental non-government organizations, ANSI 
ASC X12 sub-committees, and other federal agencies. Many of our most 
significant interactions involved electronic reporting pilot projects 
conducted with State agency partners, including the States of 
Pennsylvania, New York, Arizona, and several others. In addition, over 
a two-year period beginning in May, 1997, EPA worked together with 
approximately 35 States on the State Electronic Commerce/Electronic 
Data Interchange Steering Committee (SEES) convened by the National 
Governors' Association (NGA) Center for Best Practices (CBP). The 
product of the SEES effort was a document entitled, ``A State Guide for 
Electronic Reporting of Environmental Data,'' available in the docket 
for this rulemaking, along with reports on some of the more recent 
state/EPA electronic reporting pilots. Information on SEES is also 
available at: www.nga.org/CBP/Activities/EnviroReporting.asp. Today's 
proposal has benefitted greatly from the SEES discussions, and EPA 
believes that the proposal is generally consistent with the SEES 
``State Guide''.
    Beginning in June, 1999, EPA also sponsored a series of conferences 
and meetings with the explicit purpose of seeking stakeholder advice on 
today's rulemaking. These included:
     The Symposium on Legal Implications of Environmental 
Electronic Reporting, June 23-25, 1999, convened by the Environmental 
Law Institute;
     Two NGA-convened State meetings, held in Cleveland, April 
11-12, 2000, and in Phoenix, June 1-2, 2000; and
     Two public meetings, held in Chicago, June 6, 2000, and in 
Washington, D.C., July 11, 2000.
    Reports of these conferences and meetings are also available in the 
rulemaking docket.

[[Page 46167]]

III. Scope of Today's Proposal

A. Who May Submit Electronic Documents and Maintain Electronic Records?

    Any regulated company or other entity that submits documents 
addressed by today's proposal (see section III.B., below) directly to 
EPA can submit them electronically as soon as EPA announces that the 
Central Data Exchange or a designated alternative system is ready to 
receive these reports. Any regulated company or other entity that 
maintains records addressed by today's proposal (see section III.C., 
below) under EPA regulations can store them in an electronic form 
subject to the proposed criteria for electronic record-keeping as soon 
as EPA announces that the specified records may be kept electronically. 
As noted in section I.B of this preamble, the rule will not authorize 
the conversion of existing paper records to an electronic format. 
Regulated companies or other entities that submit documents or maintain 
records under authorized State or tribal programs may submit or 
maintain them electronically as soon as EPA approves the changes to the 
authorized programs that are necessary to implement the State's or 
tribe's provisions for electronic reporting or recordkeeping.
    Under today's proposal, the entities that can use electronic 
reporting and record-keeping will not be required to do so; they can 
still use the medium of paper for document submissions and records if 
they choose. Nonetheless, nothing in this proposal will prohibit State, 
tribal or local authorities from requiring electronic reporting or 
record-keeping under applicable State, tribal and local law.

B. How Does Today's Proposal Relate to the New E-SIGN Legislation?

    The environmental reports and records that are the subject of this 
rule are generally not subject to the recently enacted ``Electronic 
Signatures in Global and National Commerce Act of 2000'' (``E-SIGN'' or 
``the Act''), Public Law 106-229, because most of these governmentally-
mandated documents are not amongst the ``transactions'' to which E-SIGN 
applies. However, the EPA has authority to permit electronic reporting 
under the statutes it administers and under the Government Paperwork 
Elimination Act (GPEA) of 1998, Public Law 105-277, http://ec.fed.gove/gpedoc.htm. E-SIGN, establishes the legal equivalence between: (1) 
Contracts written on paper and contracts in electronic form; (2) pen-
and-ink signatures and electronic signatures; and (3) other legally-
required written documents (termed ``records'' in the statute) and the 
same information in electronic form. As a general rule, if parties to a 
transaction in interstate commerce choose to use electronic signatures 
and records, E-SIGN grants legal recognition to those methods. E-SIGN 
provides that no contract, signature, or record relating to such a 
transaction shall be denied legal effect solely because it is in 
electronic form, nor may such a document be denied legal effect solely 
because an electronic signature or record was used in its formation. 
GPEA also provides such language for government filings covered by this 
rule and provides similar legal validity for associated electronic 
signatures. When E-SIGN takes effect on October 1, 2000, statutes or 
agency rules containing paper-based requirements that might otherwise 
deny effect to electronic signatures and records in consumer, 
commercial or business transactions between two or more parties will be 
superseded. E-SIGN does, however, permit federal and State agencies to 
set technology-neutral standards and formats for the submission and 
retention of electronic documents.
    E-SIGN applies broadly to commercial, consumer, and business 
transactions in or affecting interstate or foreign commerce, including 
transactions regulated by both federal and State government. However, 
the conferees who drafted this legislation specifically excluded 
``governmental transactions'' from the definition of transactions that 
are subject to E-SIGN; accordingly, E-SIGN does not cover transactions 
that are uniquely governmental, such as the transmission of a 
compliance report to a federal or State agency. Nonetheless, E-SIGN 
does cover documents that are created in a commercial, consumer, or 
business transaction, even if those documents are also submitted to a 
governmental agency or retained by the regulated community for 
governmental purposes. For example, an insurance contract that is 
commemorated in an electronic document will be covered by the 
provisions of E-SIGN, even if EPA or an authorized State requires that 
the policy-holder maintain proof of insurance as part of a federal or 
State environmental program. In order to ensure that these documents 
will meet governmental needs, the Act permits the government to set 
technology-neutral standards and formats for such records. In order 
that governmental agencies have time to promulgate these standards and 
formats, E-SIGN has a delayed effective date for its record-retention 
provisions of March 1, 2001. If a federal or State regulatory agency 
has proposed a standard or format for document retention by March 1, 
2001, the Act will take effect with respect to those records on June 1, 
2001.

C. Which Documents Could Be Filed Electronically?

    With the exception of the Hazardous Waste Manifest (which EPA is 
addressing in a separate electronic reporting rule), today's proposal 
addresses document submissions required by or permitted under any EPA 
or authorized State, tribal or local program governed by EPA's 
regulations in Title 40 of the Code of Federal Regulations (CFR). 
Nonetheless, EPA will need time to develop the hardware and software 
components required for each individual type of document. Similarly, 
EPA will need time to evaluate State, tribal, and local electronic 
document receiving systems to ensure that they meet the criteria 
articulated in today's proposal. Accordingly, once this rule takes 
effect, documents subject to this rule submitted directly to EPA can 
only be submitted electronically after EPA announces in the Federal 
Register that the Central Data Exchange (CDX) or an alternative system 
is ready to receive them. Documents subject to this rule submitted 
under an authorized State or tribal program can only be submitted 
electronically once EPA has approved the necessary changes to the 
authorized program.
    Both in developing the CDX, and in approving changes to authorized 
State and tribal programs related to electronic reporting, EPA plans to 
give priority to receipt of the relatively high volume environmental 
compliance reports that do not involve the submission of confidential 
business information (CBI). EPA believes that receipt of electronically 
transmitted CBI requires considerably stronger security measures than 
the initial version of CDX may be able to support, including provisions 
for encryption. While EPA does plan to enhance CDX to accommodate CBI, 
we will first want to gain experience implementing CDX in the non-CBI 
arena and also take the time to explore CBI security issues with 
companies that submit confidential data. EPA seeks comments and advice 
on priorities for electronic reporting implementation. EPA also seeks 
comments on this proposal's global approach, and whether specific 
exclusions should be added to the rule.

[[Page 46168]]

D. Which Records Can Be Maintained Electronically and Which Can Not?

    Today's proposal addresses records that EPA or authorized State, 
tribal or local programs require regulated entities to maintain under 
any of the environmental programs governed by Title 40 of the CFR or 
related State, tribal and local laws and regulations. Nonetheless, 
individual EPA programs may need additional time to consider more 
specific provisions for administering the maintenance of electronic 
records under their regulations. Similarly, EPA will need time to 
evaluate State, tribal, and local programs' provisions for 
administering electronic records maintenance to ensure that such 
records will meet the criteria articulated in today's proposal.
    Accordingly, once this rule takes effect, any records subject to 
this rule submitted directly to EPA can only be maintained 
electronically after EPA announces in the Federal Register that EPA is 
ready to allow electronic records maintenance to satisfy the specified 
record-keeping requirements. Records subject to this rule maintained 
under an authorized State or tribal program can only be maintained 
electronically once EPA has approved the necessary changes to the 
authorized program. For electronic records specified in such Federal 
Register announcements or authorized program changes, they can be 
maintained in lieu of paper records so long as they meet the 
requirements in this proposal, unless paper records are specifically 
required in regulations promulgated on or after promulgation of this 
final rule. However, today's proposal will not apply to paper records 
that are already in existence--whether these are maintained under EPA 
programs or under authorized State, tribal or local programs--and will 
not provide that any of these paper records can be converted to an 
electronic format. In addition, today's proposal does not address 
contracts, grants, or financial management regulations contained in 
Title 48 of the CFR. EPA is addressing such procurement-related 
activities separately. Accordingly, today's proposal does not apply to 
records maintained under these Title 48 regulations, whether this 
record-keeping was administered by EPA or by a State, tribal or local 
program under EPA authorization.

E. How Would Today's Proposal Implement Electronic Reporting and 
Record-Keeping?

    EPA proposes our overall policy and requirements for electronic 
reporting and record-keeping as a new 40 CFR part 3, which consists of 
four (4) Subparts. Subpart A provides that any reporting requirement in 
Title 40 can be satisfied with an electronic submission to EPA that 
meets certain conditions (specified in Subpart B) once EPA publishes a 
notice that electronic document submission is available for this 
requirement. Similarly, Subpart A provides that any record-keeping 
requirement in Title 40 can be satisfied with electronic records that 
meet certain conditions (specified in Subpart C) once EPA publishes a 
notice that electronic record-keeping is available for this 
requirement. Subpart A also provides that electronic reporting and 
record-keeping can be made available under EPA-authorized State, tribal 
or local environmental programs as soon as EPA approves the necessary 
changes to these authorized programs (in accordance with Subpart D). In 
addition, subpart A makes clear: (1) That electronic document 
submission or record-keeping, while permissible under the terms of this 
part, will not be required; and (2) that this regulation will confer no 
right or privilege to submit data electronically and will not obligate 
EPA or State, tribal or local agencies to accept electronic data except 
as provided under this regulation.
    Subpart B sets forth the general requirements for acceptable 
electronic documents submitted to EPA. It provides that electronic 
documents must be submitted either to EPA's Central Data Exchange (CDX) 
or other EPA designated systems. It also includes general requirements 
for electronic signatures. Subpart C sets forth requirements that 
regulated entities must satisfy if they wish to maintain their 
electronic records in satisfaction of EPA record-keeping requirements. 
Finally, subpart D sets forth the process and criteria for EPA approval 
of changes to authorized State, tribal and local environmental programs 
to allow electronic document submissions or record-keeping to satisfy 
requirements under these programs. With respect to electronic document 
submissions, subpart D includes detailed criteria for acceptable State, 
tribal or local agency electronic document receiving systems against 
which EPA will assess authorized program implementations of electronic 
reporting.
    The table below describes the applicability of each of these 
proposed new subparts.

------------------------------------------------------------------------
              Subpart                           Applicability
------------------------------------------------------------------------
A. General Provisions.............  Companies and other entities
                                     regulated under Title 40 of the
                                     Code of Federal Regulations, and
                                     State, tribal and local agencies
                                     with electronic document receiving
                                     systems used to receive documents
                                     under their authorized programs.
B. Electronic Reporting to EPA....  Companies and other entities
                                     regulated under Title 40 of the
                                     Code of Federal Regulations.
C. Electronic Record-keeping under  Companies and other entities
 EPA Programs.                       regulated under Title 40 of the
                                     Code of Federal Regulations.
D. Approval of Electronic           State, tribal and local agencies
 Reporting and Record-keeping        with electronic document receiving
 under State Programs.               systems or electronic record-
                                     keeping programs for which EPA
                                     approval is required.
------------------------------------------------------------------------

    Given the proposed provisions of Subpart A, a regulated entity 
wishing to determine whether electronic reporting or record-keeping was 
available under some specific regulation will have to verify that EPA 
has published a Federal Register notice announcing their availability 
and will have to locate any additional provisions or instructions 
governing the electronic option for the particular reporting or record-
keeping requirements. EPA seeks comments on whether the new Part 3 
should include specific cross-references to such announcements and 
instructions to the extent that these are codified elsewhere in Title 
40. The cross references could be organized by CFR subparts of Title 
40, and could provide a simple listing of program-specific regulations 
for which EPA has implemented electronic reporting or record-keeping 
under the provisions of today's proposal. EPA invites suggestions on 
the most helpful cross-referencing scheme.

IV. The Requirements in Today's Proposal

A. What Are the Proposed Requirements for Electronic Reporting to EPA?

    Today's proposal specifies just two requirements for electronic 
reporting to

[[Page 46169]]

EPA. First, electronic documents must be submitted to an appropriate 
EPA electronic document receiving system; generally this will be EPA's 
Central Data Exchange (CDX), although EPA can also designate additional 
systems for the receipt of electronic documents. Second, where an 
electronic document must bear a signature under existing regulations or 
guidance, it must be signed (by the person authorized to sign under the 
current applicable provision) with an electronic signature that can be 
validated using the appropriate EPA electronic document receiving 
system. The proposal stipulates that the electronic signature will make 
the person who signs the document responsible, or bound, or obligated 
to the same extent as he or she would be signing the corresponding 
paper document by hand. Only electronic submissions that meet these two 
requirements will be recognized as satisfying a federal environmental 
reporting requirement, although failure to satisfy these requirements 
will not preclude EPA from bringing an enforcement action based on the 
submission.
    It should be noted that the second requirement, concerning 
signatures, will apply only where the document would have to bear a 
signature were it to be submitted on paper, either because this is 
stipulated in regulations or guidance, or because a signature is 
required to complete the paper form. Today's proposal is not intended 
to require additional signatures on documents when they are migrated 
from paper to electronic submission. The EPA electronic document 
receiving system will indicate to the submitter whether a signature is 
required to complete submission of an electronic document--although the 
presence or absence of this indication will not affect whether or not a 
signature is required for a document to have legal effect.
    Beyond these two requirements, the proposed rule does not specify 
any required hardware or software. Accordingly, the proposed rule text 
does not include any detail about CDX per se or about what will be 
required of regulated entities who wish to use it. Nonetheless, in 
publishing today's proposal, one of EPA's goals is to share our plans 
for the CDX and to invite comments on the technical approaches that it 
represents. Therefore, section V, below, explains the details of CDX as 
it is currently planned--including CDX technical approaches to 
satisfying our proposed functional criteria, and what use of CDX to 
submit electronic documents will require of the users. We are also 
including the draft CDX design specifications in the docket for today's 
proposed rule. In reviewing these materials, however, the reader should 
bear in mind that the details of CDX that they specify have not been 
finalized, and may be affected by the comments received on today's 
proposal. In the preamble to the notice of final rulemaking for today's 
proposal, EPA will describe the details of CDX as it will actually be 
implemented, and will highlight any significant changes from the design 
as described in this proposal.
    Of course, even after the current CDX design is finalized and 
implemented, the system may change--to take advantage of opportunities 
offered by evolving technologies, as well as to correct any 
deficiencies that operational experience reveals. Our proposed 
regulatory strategy--avoiding the codification of technology-specific/
procedural provisions--is meant to accommodate such changes without 
requiring that we amend our regulations. Nonetheless, EPA recognizes 
that such changes can be disruptive to regulated entities that 
participate in electronic reporting; therefore, we are adding 
provisions that commit EPA to provide adequate public notice where a 
contemplated change may have this impact. In general, we foresee four 
kinds of cases:
     Major changes that can be disruptive to regulated 
entities; these will likely affect the kinds of hardware or software 
required to submit electronic reports--examples may include required 
changes to the file formats CDX will accept, or to the required 
electronic signature technology, but will not generally include 
optional upgrades to software, the provision of additional formatting 
(or other technical) options, or changes to CDX that simply reflect 
changes to the regulatory reporting requirements that the system is 
supporting;
     Minor changes that will likely not be disruptive; these 
will affect the user interface but without affecting the hardware or 
software required to submit electronic reports--examples may include 
changes to screen layouts, or sequencing of user prompts;
     Transparent changes that will affect CDX operation without 
any apparent change in interaction with submitters--an example may be a 
change to the CDX archiving process; and
     Emergency changes necessary to protect the security or 
operational integrity of CDX--an example may be an upgrade to the 
system firewall protection.
    Our approach will then be to provide public notice and seek comment 
on major changes at least a year in advance of contemplated 
implementation. For minor changes we will provide public notice at 
least 60 days in advance of implementation. For transparent changes and 
emergency changes we will make decisions on whether and when to provide 
public notice on a case-by-case basis. EPA seeks comment on this 
approach, including the kinds of cases we distinguish and the proposed 
time-frames for notice. We are especially interested in views on the 
appropriateness of the time-frame for notice of major changes--and 
specifically on whether a shorter time-frame, e.g. 9 months or 6 
months, would provide adequate notice while giving EPA greater 
flexibility to make timely responses to changes in the technological 
environment. We also seek comment on the more general question of 
whether it is in the best interests of EPA and our regulated entities 
to codify these public notice provisions at all, or whether they may 
place at risk our ability to be sufficiently responsive to the changing 
needs of our user community. We are also interested in the question of 
whether the different kinds of cases are or can be defined with 
sufficient precision to form the basis for workable regulatory 
provisions, and we welcome any suggestions for alternative regulatory 
language.

B. What Requirements Must Electronically Maintained Records Satisfy?

    1. General Approach. In today's proposed rule, EPA is proposing a 
set of criteria that will have to be met by regulated entities that 
maintain electronic records in lieu of paper records, to satisfy 
record-keeping requirements under EPA regulations in Title 40 of the 
CFR. The proposed criteria address the minimal functional capabilities 
that an electronic record-retention system must possess in order for an 
electronic record or document to meet a federal environmental record-
keeping requirement. Regulated entities that use electronic systems to 
create, modify, maintain, or transmit electronic records will need to 
employ procedures and controls designed to meet the minimum criteria in 
today's rule. These criteria are designed to insure that electronic 
records are trustworthy and reliable, available to EPA and other 
agencies and their authorized representatives in accordance with 
applicable federal law, and admissible as evidence in a court of law to 
the same extent as a corresponding paper record.
    2. EPA's Proposed Criteria for Electronic Record-Retention Systems. 
In general, EPA believes that for electronic records to be trustworthy 
and reliable,

[[Page 46170]]

their corresponding electronic record-retention system must: (1) 
Generate and maintain accurate and complete copies of records and 
documents in a form that does not allow alteration of the record 
without detection; (2) ensure that records are not altered throughout 
the records' retention period; (3) produce accurate and complete copies 
of an electronic record and render these copies readily available, in 
both human readable and electronic form as required by predicate 
regulations, throughout the entire retention period; (4) ensure that 
any record bearing an electronic signature contains the name of the 
signatory, the date and time of signature, and any information that 
explains the meaning affixed to the signature; (5) protect electronic 
signatures so that any signature that has been affixed to a record 
cannot be detached, copied, or otherwise compromised; (6) use secure, 
computer-generated, time-stamped audit trails to automatically record 
the date and time of operator entries and actions that create, modify, 
or delete electronic records; (An audit trail is an important element 
of any acceptable electronic record, for it provides an electronic 
record of key entries and actions to a record throughout its life 
cycle. Such audit trail documentation needs to be retained for a period 
at least as long as that required for the subject electronic records. 
Audit trail documentation also needs to be available for agency 
review.) (7) ensure that records are searchable and retrievable for 
reference and secondary uses, including inspections, audits, legal 
proceedings, third party disclosures, as required by predicate 
regulations, throughout the entire retention period; (8) archive 
electronic records in an electronic form that preserves the context, 
metadata, and audit trail; (Depending on the record retention period 
required in predicate regulations, regulated entities must insure that 
the complete records, including the related metadata, can be maintained 
in secure and accessible form on the preexisting system or migrated to 
a new system, as needed, throughout the required retention period.) and 
(9) make computer systems (including hardware and software), controls, 
and attendant documentation readily available for agency inspection. 
EPA believes that where these 9 criteria are met, records required to 
be maintained under EPA regulations, can be kept electronically, 
including where they involve or incorporate signatures.
    3. Electronic Records with Electronic Signatures. Where electronic 
records involve or incorporate electronic signatures meeting the 
requirements under Subpart C of this proposal, EPA will consider the 
electronic signatures to be equivalent to hand-written signatures. EPA 
believes the criteria described in paragraph B.2. above address the 
conditions for cases of electronic records involving signatures, such 
as: first, a signed electronic record must contain information 
associated with the signing that clearly indicates the name of the 
signer, the date and time when the electronic record was signed, and, 
the meaning associated with the signature (such as review, approval, 
responsibility, authorship, etc.); second, electronic signatures must 
be linked to their respective electronic records to ensure that the 
signatures cannot be excised, copied or otherwise transferred so as to 
falsify an electronic record by ordinary means; third, this information 
will be subject to the same controls as those for electronic records 
and must be included as part of any human readable form of the 
electronic record (such as electronic display or printout). EPA seeks 
comment on whether these criteria are appropriate and whether--taken 
together with the general criteria--they are sufficient to ensure that 
signatures associated with records fulfill their purpose. EPA also 
seeks comment on whether these criteria are appropriate for the 
maintenance of electronic records containing digital signatures. (For 
an explanation of digital signatures, and their role in CDX, see 
Section V.B.1 of this preamble.) The special issues involved in 
maintaining digitally signed records are discussed in Section IV.D.6 of 
this preamble--in connection with archiving requirements for electronic 
document receiving systems--and EPA is interested in views on whether 
these issues need to be more explicitly addressed by the criteria for 
electronic record-retention systems discussed here, especially the 
criterion provided in Sec. 3.100(5), which addresses the maintenance of 
the electronic signature as a part of the electronic record. EPA seeks 
comment on whether this provision should be expanded to accommodate 
some of possible procedures for archiving digital signatures referred 
to at the end of Section IV.D.6.
    4. The Relation of These Requirements to Food and Drug 
Administration (FDA) Criteria. The criteria set forth in today's 
proposed rule--both the general and those specific to records with 
associated signatures--are intended to be consistent with criteria set 
forth for electronic document systems in other relevant regulations, 
such as FDA's criteria in 21 CFR part 11. EPA seeks comment on whether 
today's proposed requirements achieve this consistency, and whether 
this consistency is an appropriate goal for this rulemaking.
    5. Storage Media Issues. Given the fast-paced evolution of 
technology, it is realistic to expect that electronic records will be 
transferred from one media format to another during the required period 
of record retention. While EPA allows for such transfers in today's 
propose rule, any such transfer must occur in a fashion that ensures 
that the entire electronic record is preserved without modification. As 
noted earlier, the electronic record will include not only the 
electronic document itself, but also the required information regarding 
time of receipt, date of receipt, etc. Any method of migrating 
electronic records from one electronic storage medium to another that 
fails to meet this criterion will not produce records that meet federal 
environmental record-retention requirements. For example, a CD-ROM 
version of a record originally stored on electromagnetic tape will not 
satisfy federal record-keeping requirements unless the method for 
transferring the record from one medium to the other employs error-
checking software to ensure that the data is completely and faithfully 
transcribed. EPA seeks comment on whether this criterion is sufficient 
to ensure that the integrity and authenticity of the electronic record 
is maintained throughout its required record retention period.
    6. Additional Options. In addition to the criteria discussed above, 
EPA is currently evaluating the need for additional controls for 
electronic records under this rule. Over the course of the next five 
(5) months, EPA plans to conduct additional analysis, and based on the 
results of this analysis and the public comments received on the 
electronic record provisions contained in today's proposal, EPA may 
determine that additional provisions are required for electronic 
records. If such a determination is made, prior to proposal of the 
final rule, EPA will publish a supplemental notice detailing any 
additional electronic record provisions to be included in the final 
rule. We realize that the electronic records criteria in today's rule 
are not as detailed as that contained in FDA's 21 CFR part 11 and seeks 
comments on whether our proposed criteria are sufficient to ensure the 
authenticity, integrity, and non-repudiation of electronic records 
maintained by regulated facilities in fulfillment of their compliance 
obligations. EPA is considering whether or not to include

[[Page 46171]]

additional provisions found in the FDA regulations in our final rule. 
Such provisions could include the following: (1) Establishment and 
implementation of written policies that limit system access to 
authorized individuals, as well as the use of authority checks to 
ensure that only authorized individuals can use the system, 
electronically sign a document, access the operation or computer system 
input or output device, alter a record, or perform the operation at 
hand; (2) establishment and implementation of written policies that 
hold individuals accountable and responsible for actions initiated 
under their electronic signatures, in order to deter record and 
signature falsification; (3) use of device (e.g., terminal) checks to 
determine the validity of the source of data input or operational 
instruction; (4) use of additional measures such as document encryption 
and use of appropriate digital signature standards to ensure, record 
authenticity, integrity, and non-repudiation; (5) routine and 
documented validation of systems to ensure accuracy, reliability, 
consistent intended performance, and the ability to discern invalid or 
altered records; (6) establishment and implementation of written 
policies governing education and training of personal and certification 
that persons who develop, maintain, or use electronic record signature 
systems have the education, training, and experience to perform their 
assigned tasks. EPA is also seeking comment on the general feasibility 
of converting existing paper documents--including litigation-sensitive 
records--to electronic documents, as well as comments on the strengths 
and weakness of existing technologies available for this purpose.

C. What Is the Process That EPA Will Use To Approve Changes To 
Authorized State and Tribal Programs Related to Electronic Reporting 
and Record-Keeping?

    EPA expects that States, tribes and local agencies that administer 
EPA-authorized environmental programs will wish to implement electronic 
reporting and recordkeeping at least as quickly and extensively as EPA. 
Therefore, in overseeing these programs, EPA wishes to balance multiple 
objectives of minimizing administrative burden on States, providing 
State flexibility for varying State approaches, and ensuring that State 
systems are robust enough to meet the demands of a strong enforcement 
capability. EPA considered several options for meeting these needs, 
including program-by-program approval processes--in each case under 
applicable EPA program-specific regulations--State self-certifications, 
and a centralized approval process. This proposal provides for State 
flexibility by specifying performance criteria rather than requiring 
specific technologies, and balances other objectives though use of a 
hybrid process for approving changes to authorized State and tribal 
programs.
    Under this process, EPA will provide a single set of substantive 
performance criteria, listed in today's proposal, that will apply to 
any authorized program where EPA determines that electronic reporting 
and record-keeping will involve substantive changes to the program that 
will require EPA approval. Today's proposal contains language that 
would make compliance with these Part 3 criteria an element of all 
authorized State, tribal, or local programs that wish to accept 
electronic reports or allow electronic recordkeeping, although the 
language does not change the procedural requirements for modifications 
to any of these program. This means, for example, that a State planning 
to institute electronic reporting for an authorized program will have 
to meet the normal EPA approval requirements for that program--whether 
the approval sought is for a single program or for an electronic 
document receiving system that would support multiple authorized, 
delegated, or approved environmental programs. In the case where 
multiple programs will be affected, the State will still need to seek 
modification of each such program under existing program approval or 
revision procedures; however, EPA expects that it will evaluate such 
multiple applications in a single internal review. Moreover, EPA 
solicits comment on whether another approach should be taken to State 
and tribal program modification or revision for electronic reporting or 
record-keeping.
    Alternatively, State, tribal or local agencies may wish to rely on 
third-party systems to receive reports on their behalf, where these 
systems are operated or owned by commercial or not-for-profit 
organizations. Today's proposal will allow this on the condition that 
the electronic document receiving system employed by the State, tribal 
or local agency satisfy the substantive performance criteria that we 
specify, and authorization approvals are obtained where necessary.

D. What Criteria Are EPA Proposing That State Electronic Report 
Receiving Systems Must Satisfy?

    In today's proposed rule, EPA is providing a set of criteria that 
will have to be met by any system that is used to receive electronic 
documents submitted to satisfy electronic document submission 
requirements under any EPA-authorized State, tribal, or local 
environmental program. The proposed criteria address the functional 
capabilities that EPA believes a State's, tribe's or local government's 
``electronic document receiving system'' must have if it is to ensure 
the authenticity and non-repudiation of these electronic documents. EPA 
has developed these criteria to ensure that any electronic document has 
the same legal dependability as its paper counterparts. EPA does not 
intend to imply that information or documents derived from electronic 
reporting or record-keeping systems that do not meet all of EPA's 
criteria, or from transactions that were not in compliance with all 
applicable requirements and agreements, could not be introduced as 
evidence at trial, would not constitute admissions, or would not 
constitute records required by, or used for compliance with, applicable 
statutes (e.g., Clean Water Act section 309(c)(4), Resource 
Conservation and Recovery Act section 3008(d)(3)). EPA's criteria are 
intended to result in systems and records that will provide the best 
evidence for use by plaintiffs and prosecutors in enforcement actions, 
and to facilitate the success of such enforcement actions.
    These criteria are designed to ensure any electronic document used 
as evidence in the course of prosecuting an environmental crime or 
civil violation will have the same or better evidentiary value as its 
paper equivalent. For example, the criteria are designed to ensure that 
in prosecuting the crime of deliberate falsification of compliance 
data, the identity of the person who signed a falsified document can be 
established beyond a reasonable doubt. One of the criteria, entitled 
``Validity of Data,'' and proposed in section 3.2000(b), addresses this 
standard directly. In general, a system that is used to receive 
electronic documents must be capable of reliably generating proof for 
use in private litigation, enforcement proceedings, and criminal 
proceedings in which the standard for conviction is proof beyond a 
reasonable doubt that the electronic document was actually submitted by 
the signatory and that the data it contains was not submitted in error.
    To satisfy this general criterion, an electronic document receiving 
system must establish: (1) That an electronic document was sent (or not 
sent), (2) when the document was sent, (3) by whom the document was 
sent, including both individual and the identity of any entity the 
individual is authorized to represent, (4) when the

[[Page 46172]]

document was received, (5) that the document was not altered from the 
time it was sent to the time it was received, and (6) the contents of 
the document sent. In addition the electronic document receiving system 
must store and be able to retrieve every electronic document without 
alteration to its content or loss or the information regarding time of 
transmission, receipt, and authorship. The remaining, more specific 
criteria have been developed to meet these goals, while at the same 
time taking account of what can reasonably be expected of the various 
types of electronic reporting technologies currently available.
    It should be noted that many of these criteria will not apply, or 
not apply in full, where the electronic document receiving system will 
not be used to receive documents bearing signatures or documents used 
in litigation or enforcement proceedings. Generally, documents not 
requiring signature are less likely to play a role in criminal 
prosecutions; therefore, the criterion that refers to ``Validity of 
Data'' might not apply to systems that receive such documents. In 
addition, the specifications of ``electronic signature method,'' and 
``electronic signature/certification scenario'' will be inapplicable, 
along with any provision connected with ``system security 
requirements,'' ``registration process,'' ``transaction record,'' and 
``system archives'' that refers to signature. EPA invites comment on 
the exclusion of these criteria in cases where systems will not receive 
signed documents or documents used in litigation or enforcement and 
criminal proceedings. EPA will consider the possibility of developing a 
set of criteria explicitly addressing electronic document receiving 
systems that will not receive electronically signed documents if it 
appears that States, tribes or local governments want to implement such 
systems for their authorized environmental programs. Such systems might 
be appropriate, for example, in the cases where agencies wished to 
accept electronic submissions of data but continued to require that 
associated certification statements be signed and submitted on paper. 
EPA invites comment on whether it would be worth developing the 
alternative set of criteria for systems that exclude electronic 
signatures.
    1. General System-Security Requirements. Proposed section 3.2000(a) 
requires every system used to receive electronic documents to (1) have 
robust protections against unauthorized access to the system; (2) have 
robust protections against the unauthorized use of any electronic 
signature on documents received; (3) provide for the detection of 
unauthorized access or attempted access to the system and unauthorized 
use or attempted use of any electronic signature on documents received; 
(4) provide safeguards to prevent the modification of an electronic 
report once an electronic signature has been affixed; (5) ensure that 
every electronic record is protected from modification or deletion; (6) 
provide safeguards to ensure that the system clock is accurate and 
protected from tampering or other compromise; and (7) provide 
safeguards to prevent any other corruption or compromise of the system.
    We believe each of the seven proposed requirements is important to 
maintain the overall security of an electronic document receiving 
system. We seek comment on whether--taken together--they are sufficient 
to ensure that the system can maintain the integrity and authenticity 
of the electronic documents it receives and maintains.
    2. Electronic Signature Method. To support the goals articulated 
under proposed section 3.2000(b) as the ``Validity of Data'' criterion, 
proposed section 3.2000(c) stipulates that an electronic document 
receiving system must validate only those electronic signatures that 
are created by a method that (1) Involves a registration process that 
identifies the bearer of an electronic signature; (2) includes all 
elements of an adequate signature/certification scenario (described in 
paragraph 4, below); (3) provides safeguards to prevent excise, 
modification, or appropriation of an affixed electronic signature; (4) 
provides safeguards to prevent use of an electronic signature by anyone 
other than the individual to whom it has been issued; and (5) ensures 
that it is impossible to modify an electronic document without 
detection once the electronic signature has been affixed. This last 
proposed requirement is sometimes expressed by saying that the 
signature must be ``bound'' to the contents of the report. We seek 
comment on whether these conditions are appropriate, and whether--taken 
together--they suffice to ensure that electronic signatures affixed to 
electronic documents will have the same or better evidentiary value as 
handwritten signatures on paper documents for purposes of prosecuting 
an environmental crime or civil violation.
    3. Submitter Registration Process. In order to link a digital 
signature to the bearer of that signature, proposed section 3.2000(d) 
requires that an electronic document receiving system validate only 
those electronic signatures that are established through a process 
which registers identified individuals both as system users and as 
signature holders. EPA also proposes to require that an individual may 
not complete this registration process without first executing an 
agreement with the administering agency to properly use and protect the 
electronic signature.
    Of course, the registration process must also establish the 
identity of the registering individual and any entity that the 
individual is authorized to represent. Given the general ``Validity of 
Data'' criterion under section 3.2000(b), the process must establish 
the registrant's identity with information that will be sufficient to 
prove that this individual was the signature holder for purposes of 
private litigation, enforcement proceedings, and criminal proceedings. 
This requires at least that the registrant provide evidence of identity 
which can be verified by information sources that are independent of 
this individual and the regulated entity with which he or she is 
associated.
    As noted above, the rule requires that a registrant sign an 
agreement to properly use and protect his or her electronic signature. 
EPA proposes that the terms in any such agreement include, at a 
minimum, a commitment to: (1) Protect the electronic signature from 
unauthorized use; (2) be as legally-bound by use of the electronic 
signature as by hand-written signature; (3) where the signature device 
is based on a secret, e.g., a code, to maintain the secrecy of the 
electronic signature device; (4) immediately report any evidence that 
the electronic signature has been compromised; and (5) where the 
assistance of third parties may be required to protect a signature from 
unauthorized use--such as the assistance of system administrators in 
ensuring computer security, to secure such assistance. EPA believes 
that this agreement is important to ensure that the holder of an 
electronic signature understands how to properly use and protect the 
electronic signature. It is also important to ensure that the signature 
holder understand the legal effect of affixing the electronic signature 
to an electronic document. A proof that an individual's registered 
electronic signature was affixed to a document will establish a 
permissive inference that the individual who was issued that signature 
affixed the signature and did so with the intent to sign the document. 
To achieve these goals, EPA believes that the signature agreement 
should

[[Page 46173]]

consist of at least the following language:
    ``In accepting the electronic signature issued by [specify name of 
issuing agency or organization] to sign electronic documents submitted 
to [specify the name of the electronic document receiving system] on 
behalf of [specify the name of regulated entity the signature-holder 
represents], I, [name of electronic signature holder],
    (1) Agree to protect the signature from use by anyone except me, 
and to confirm system security with third parties where necessary. 
Specifically, I agree to [specify procedures appropriate to the form of 
electronic signature, for example, to maintain the secrecy of the code 
where the signature is based on a secret code];
    (2) Understand and agree that I will be held as legally bound, 
obligated, or responsible by my use of my electronic signature as I 
would be using my hand-written signature, and that legal action can be 
taken against me based on my use of my electronic signature in 
submitting an electronic document to [specify the name of the receiving 
agency];
    (3) Agree never to delegate the use of my electronic signature or 
make my signature available for use by anyone else;
    (4) Understand that whenever I electronically sign and submit an 
electronic document to [specify the name of the electronic document 
receiving system], acknowledgments and a copy of my submission as 
received will be made available to me;
    (5) Agree to review the acknowledgments and copies of documents I 
electronically sign and submit to [specify the name of the electronic 
document receiving system];
    (6) Agree to report to [specify the agency or organization to be 
reported to], within twenty-four (24) hours of discovery, any evidence 
of the loss, theft, or other compromise of any component of my 
electronic signature;
    (7) Agree to report to [specify the agency or organization to be 
reported to], within twenty-four (24) hours of discovery, any evidence 
of discrepancy between an electronic document I have signed and 
submitted and what [specify the name of the electronic document 
receiving system] has received from me;
    (8) Agree to notify [specify the agency or organization to be 
reported to] if I cease to represent [specify the name of regulated 
entity the signature-holder represents] as signatory of that 
organization's electronic submissions to [specify the name of the 
electronic document receiving system] as soon as this change in 
relationship occurs and to sign a surrender certification at that 
time.''
    In addition, given the importance of this agreement, EPA is also 
proposing that the registration process require that the agreement be 
renewed periodically, with the Administrator to determine the frequency 
of and the exact terms of the renewal statement, as well as whether a 
wet ink signature will be required. In making these determinations, EPA 
is proposing that the Administrator ensure that electronic reporting 
meets the overall goals of security and validity of data--articulated 
under proposed sections 3.2000(a) and 3.2000(b)--while taking into 
account the importance of keeping EPA practices consistent with 
marketplace standards for issuance and use of electronic signature 
devices in commerce. Given that both the technologies and marketplace 
practices surrounding electronic signatures are still evolving rapidly, 
EPA believes that the Administrator may need to revisit these 
determinations more than once, the proposed provision for these renewal 
agreements is intended to provide this flexibility.
    In terms of frequency of renewal, likely candidates for the 
Administrator to consider are once every two years or three years, but 
he or she may certainly set a longer renewal cycle (either in general 
or with regard to a particular State, tribal or local government 
system) if less frequent renewal better corresponds to marketplace 
standards and can be determined to still meet security and validity of 
data goals. EPA seeks comment on the various alternatives for renewal 
frequency--including one year and longer than three years--considering 
both marketplace standards and the goals of security and validity of 
data. EPA also seeks comment on whether any of the candidate renewal 
cycles would raise any administrative issues for State, tribal or local 
governments, and whether the Administrator's ability to revisit this 
determination--with the implied potential for a change in system 
requirements--poses any problems for systems planning or management.
    Concerning the terms of the renewal agreement, EPA believes that in 
the interest of supporting the goals of security and validity of data, 
the Administrator is likely to require the holder of the electronic 
signature to attest to compliance with the terms of the prior agreement 
since the time it was signed. To accomplish this, the Administrator may 
require that the signature-holder sign a statement that consists of at 
least the following:
    ``In continuing to use the electronic signature issued by [specify 
name of issuing agency or organization] to sign electronic documents 
submitted to [specify the name of the electronic document receiving 
system] on behalf of [specify the name of regulated entity the 
signature-holder represents], I, [name of electronic signature holder] 
continue to,
    (1) Agree to protect the signature from use by anyone except me, 
specifically, to [specify procedures appropriate to the form of 
electronic signature, for example, to maintain the secrecy of the code 
where the signature is based on a secret code];
    (2) Understand and agree that I will be held as legally bound, 
obligated, or responsible by my use of my electronic signature as I 
would be by using my hand-written signature, and that legal action can 
be taken against me based on my use of my electronic signature in 
submitting an electronic document to [specify the name of the receiving 
agency];
    (3) Agree never to delegate the use of my electronic signature or 
make my signature available for use by anyone else;
    (4) Understand that whenever I electronically sign and submit an 
electronic document to [specify the name of the electronic document 
receiving system], acknowledgments and a copy of my submission as 
received will be made available to me;
    (5) Agree to review the acknowledgments and copies of documents I 
electronically sign and submit to [specify the name of the electronic 
document receiving system];
    (6) Agree to report to [specify the agency or organization to be 
reported to], within twenty-four (24) hours of discovery, any evidence 
of the loss, theft, or other compromise of any component of my 
electronic signature;
    (7) Agree to report to [specify the agency or organization to be 
reported to], within twenty-four (24) hours of discovery, any evidence 
of discrepancy between an electronic document I have signed and 
submitted and what [specify the name of the electronic document 
receiving system] has received from me;
    (8) Agree to notify [specify the agency or organization to be 
reported to] if I cease to represent [specify the name of regulated 
entity the signature-holder represents] as signatory of that 
organization's electronic submissions to [specify the name of the 
electronic document receiving system] as soon as this change in 
relationship occurs and to sign a surrender certification at that time.
    ``Moreover, I certify that I have complied with the terms of the 
signature registration agreement I signed on [insert date of prior 
agreement], and

[[Page 46174]]

since that date I have reviewed, signed and submitted all the 
electronic documents submitted with my electronic signature to [specify 
the name of the electronic document receiving system] on behalf of 
[specify the name of regulated entity the signature-holder 
represents].''
    EPA seeks comment on all of these proposed registration agreement 
and renewal statement provisions, including the proposed provision for 
administrative determination of the frequency and terms of the renewal 
agreements. Given the purpose of these agreements and renewal 
statements, EPA is particularly interested in comment on whether all of 
them are necessary, particularly considering requirements for the on-
screen certification described under Electronic Signature/
Certification, in the next section of this preamble (Section IV.D.4). 
To the extent that all these agreements and renewals are necessary, EPA 
also seeks comment on whether the specific language suggested for each 
provision is adequate or necessary. It should be noted that EPA is 
currently not proposing to codify the specific language for these 
certifications and statements in the rule, and EPA seeks comments on 
the question of codification. It should also be noted that the proposed 
rule specifies that the signature agreement be signed on paper or in 
other media that EPA may designate. While EPA will initially require 
signature agreements to be signed on paper--and the Administrator may 
initially require this of renewals as well--EPA has the flexibility to 
allow electronic signatures in the future, as circumstances may 
warrant, and when EPA believes that electronic signatures can 
effectively substitute for hand-written signatures on paper for these 
electronic signature agreements and renewals. EPA seeks comment on 
whether any or all of these agreements and statements should be signed 
on paper.
    EPA also seeks comment on a possible additional certification 
statement, required to be signed when a signature holder surrenders the 
signature for whatever reason--e.g., change of jobs or retirement--
although this requirement is not included as a provision in today's 
proposal. In this surrender certification, the signature holder would 
be required to truthfully attest to compliance with the terms of the 
agreement since the most recent agreement was signed. If such a 
requirement is added, then EPA believes that the surrender 
certification signed by the signature holder should consist of at least 
the following:
    ``I certify that, since the time that I was first issued the 
electronic signature by [specify name of issuing agency or 
organization] to sign electronic documents submitted to [specify the 
name of the electronic document receiving system] on behalf of [specify 
the name of regulated entity the signature-holder represents], I have 
complied with the terms of agreement to which I then subscribed, and 
specifically that I have:
    (1) Protected the signature from use by anyone except me. 
Specifically, I have [specify procedures appropriate to the form of 
electronic signature, for example, maintained the secrecy of the code 
where the signature is based on a secret code];
    (2) Understood that I am held as legally bound, obligated, or 
responsible by my use of my electronic signature as I would be using my 
hand-written signature and that legal action can be taken against me 
based on my use of my electronic signature in submitting an electronic 
document to [specify the name of the receiving agency];
    (3) Never delegated the use of my electronic signature or made my 
signature available for use by anyone else;
    (4) Understood that whenever I electronically signed and submitted 
an electronic document to [specify the name of the electronic document 
receiving system], acknowledgments and a copy of my submission as 
received were made available to me;
    (5) Reviewed the acknowledgments and copies of documents I 
electronically signed and submitted to [specify the name of the 
electronic document receiving system];
    (6) Reported to [specify the agency or organization to be reported 
to], within twenty-four (24) hours of discovery, if I ever had any 
evidence of the loss, theft, or other compromise of any component of my 
electronic signature;
    (7) Reported to [specify the agency or organization to be reported 
to], within twenty-four (24) hours of discovery, if I ever had any 
evidence of discrepancy between an electronic document I signed and 
submitted and what [specify the name of the electronic document 
receiving system] had received from me.
    ``Moreover, I certify that I have complied with the terms of the 
signature registration agreement I signed on [insert date of the 
agreement signed when electronic signature was first issued], and since 
that date I have reviewed, signed and submitted all the electronic 
documents submitted with my electronic signature to [specify the name 
of the electronic document receiving system] on behalf of [specify the 
name of regulated entity the signature-holder represents].''
    Finally, EPA also solicits comment on whether some other mechanism 
is needed, in lieu of the registration agreement, to ensure that 
holders of electronic signatures properly use and protect their 
signatures. Specifically, EPA seeks comment on the possible alternative 
of adding a provision paralleling 21 CFR section 11.100(c)(2) (under 
the Food and Drug Administration's electronic signature rule) requiring 
that signature holders, upon request, ``provide additional 
certification or testimony that a specific electronic signature is the 
legally binding equivalent of the signer's handwritten signature.'' EPA 
seeks comment on whether codifying such a provision would provide a 
better method of ensuring the proper use and protection of signatures 
than the agreements, renewals and related certification statements that 
we are currently proposing.
    EPA also proposes to require that an electronic document receiving 
system have a mechanism to automatically revoke an electronic signature 
whenever 1) there is any evidence the submitter has violated the 
registration agreement; 2) there is any evidence the electronic 
signature has been compromised; or 3) there is notification from an 
entity that the holder of an electronic signature previously authorized 
to represent that entity is no longer authorized to represent the 
entity. Revocation of a signature would not necessarily mean that the 
signature holder cannot be held accountable for previous uses of that 
signature, but it might lead the agency involved to require that 
particular materials be resubmitted. EPA seeks comment on whether there 
are other circumstances that should result in automatic invalidation of 
an electronic signature.
    It should be added that EPA proposes to require registration of any 
individual who submits electronic documents to an electronic document 
receiving system on behalf of an entity, regardless of whether the 
individual is issued an electronic signature, because EPA believes that 
registration strengthens system security and data integrity. 
Accordingly, the registration process for an individual who is not 
being issued an electronic signature will simply omit the signature-
specific requirements. EPA seeks comment on this more general 
registration requirement.
    4. Electronic Signature/Certification Scenario. In order for 
electronic document receiving systems to provide the same functionality 
as existing paper-based systems, the act of affixing an

[[Page 46175]]

electronic signature to an electronic document must have the same 
meaning and legal effect as signing a paper document. In some 
instances, a signature indicates an intent to be bound to the 
commitments made in a document and constitutes an assertion that 
contents of the document are both truthful and accurate. In order to 
ensure that an electronic signature has the same meaning as its 
handwritten, paper counterpart, proposed section 3.2000(e) would 
require that an electronic document receiving system validate only 
those electronic signatures that are generated or affixed to an 
electronic document using a ``signature/certification scenario'' that 
ensures that the signatory understands and intends the legal 
consequence of affixing an electronic signature to an electronic 
document. This feature of an electronic document receiving system is 
important to ensure that each signed electronic document it receives 
can be used in civil and criminal enforcement, including cases against 
the holder of the electronic signature as signer of the electronic 
document.
    EPA proposes to require than an electronic document receiving 
system must validate only electronic signatures that have been affixed 
after: (1) The submitter has scrolled through on-screen pages that 
present all the data to be certified in a familiar, human-readable 
format (Sec. 3.2000(e)(1)(i)); (2) the screen displays a certification 
statement that is similar or identical to the certifying language 
required on the corresponding paper submissions of the report, this 
display occurring just above the place on the screen where the 
submitter is prompted to initiate the signing process 
(Sec. 3.2000(e)(1)(ii)); and (3) the submitter has seen a warning--
prominently displayed together with the certification statement 
described in (2)--that by initiating the signing process the submitter 
agrees that he or she is using the signature in compliance with the 
signature agreement that was signed when the signature device was 
issued (Sec. 3.2000(e)(1)(ii)).
    The point of the first proposed condition is to ensure that the 
submitter reviews that data being submitted as a part of the signing 
process. Accordingly, an acceptable system must display the data in a 
format that clearly associates each data element with the name or label 
of the corresponding data field and also allow the submitter to 
carefully review all the data without time constraint. The point of the 
third proposed condition is to make certain the submitter fully 
understands that by activating the signature, he or she is taking a 
step with the same legal implications as signing and sending a report 
on paper. EPA is proposing this condition because of many environmental 
programs under which signing and certifying a false report--whether on 
paper or electronically--may subject the signatory to criminal 
prosecution. At least for those cases where the ``click of a mouse'' 
may create the potential for criminal liability, then, EPA believes it 
is important to ensure that the submitter understands what the 
consequences of the act might be. For this purpose, EPA believes that 
this warning statement should consist of at least the following:
    ``WARNING: By signing this report, you agree that you are [name of 
authorized signature holder], have protected the security of your 
electronic signature as required by the electronic signature agreement 
which you signed on [date of most recent signing], and are otherwise 
using your electronic signature in accordance with that agreement.''

--Although we are not proposing to codify this language in the rule. 
EPA seeks comments on whether this language should be codified, and, 
more generally, on whether the three conditions to be satisfied prior 
to signing are necessary and sufficient to establish that the signature 
was affixed with the requisite intent.

    EPA also seeks comment on three alternative versions of this third 
proposed condition that would replace the ``together with a prominently 
displayed warning. * * *.'' language of (Sec. 3.2000(e)(1)(ii)) with a 
separate provision to be inserted just before (Sec. 3.2000(e)(1)(ii)). 
The simplest version would read:
    ``The signatory attests to compliance with an electronic signature 
agreement that is presented on-screen, refers to the signatory by name, 
and includes an acknowledgment that the signatory is the authorized 
registrant to whom the signature was issued; and * * *''.
    A more robust version would read:
    ``The signatory attests to a statement that he or she is the 
authorized registrant--referred to by name--to whom the signature was 
issued, has taken reasonable steps to protect the signature, and does 
not have any reason to think that the signature has been used by anyone 
else; and * * *''.
    The most robust version would read:
    ``The signatory attests to compliance with an electronic signature 
agreement that is presented on-screen, refers to the signatory by name, 
and includes an acknowledgment that the signatory is the authorized 
registrant to whom the signature was issued, has not in the past 
authorized any other person to sign on his or her behalf, has not at 
any time compromised the electronic signature, has reviewed all 
automatic acknowledgments for past submissions as described in 
paragraph (e)(2) of this section, and has no evidence that the 
signatory's electronic signature or any other feature of the electronic 
submission mechanism has been compromised; and * * *''
    Corresponding to the three versions of the proposed regulatory 
provision, the suggested (but not proposed to be codified) language 
would be, starting with the simplest:
    ``(1) I, [name of signatory], am the authorized holder of the 
electronic signature I am about to use;
    (2) I understand and agree that I will be held as legally bound, 
obligated, or responsible by my use of my electronic signature as I 
would by using my hand-written signature.''

next, the more robust:

    ``(1) I, [name of signatory], am the authorized holder of the 
electronic signature I am about to use;
    (2) I have taken reasonable steps to protect my signature;
    (3) To the best of my knowledge, my signature has never been used 
by anyone else.''

and, finally, the most robust:

    ``(1) I, [name of signatory], am the authorized holder of the 
electronic signature I am about to use;
    (2) I have taken reasonable steps to protect my signature;
    (3) To the best of my knowledge, my signature has never been used 
by anyone else;
    (4) I have no other evidence that any component of my electronic 
signature has been lost, stolen or compromised in any way;
    (5) I have reviewed all the acknowledgments and copies of my 
previous submissions to [specify the name of the electronic document 
receiving system].''
    EPA seeks comment on the appropriateness of these variant 
alternatives to the proposed `warning' provision--and their 
corresponding suggested statements--for purposes of establishing the 
intent with which the signature was applied, helping to show that the 
signatory was in fact the authorized signature holder, and preventing 
signature compromise or repudiation. EPA is especially interested in 
the question of whether any of these provisions might tend to 
discourage regulated entities from choosing to submit environmental 
reports electronically. EPA is also interested in comments on the need 
for

[[Page 46176]]

any version of this `warning' provision in view of the certifications 
provided in conjunction with the renewals of signature agreement 
discussed in the preceding section of this preamble (Section IV.D.3).
    In addition, we are proposing that, once the electronic signature 
is affixed, and the electronic document submitted, the signature/
certification scenario must include two responses from the electronic 
document receiving system. The first is simply an automatic 
acknowledgment that the report has been received and any affixed 
electronic signature validated, with the time and date of receipt. The 
purpose of this acknowledgment is, at least in part, to alert the 
registered holder of an electronic signature if someone has 
appropriated the registered electronic signature and used it to submit 
spurious electronic documents. As noted above, the registered holder of 
the electronic signature will not be allowed to sign another electronic 
document once aware that it has been compromised.
    EPA also proposes to require that the automatic acknowledgment be 
sent to an address that does not share the same access control--for 
example, that is not protected by the same passwords or confidential 
log-in procedures--as the system from which the electronic report was 
signed and sent. The intent of this requirement is to frustrate 
unauthorized use of an electronic signature without detection. To elude 
detection, the intruder will have to compromise not only the signature 
protections, but also the additional system's access controls. The 
additional address could be electronic or could be a United States 
Postal Service address. In any event, the feature of the electronic 
document receiving system should aid in the detection of compromised 
electronic signatures and reduce the frequency and strength of false 
claims that an electronic signature has been appropriated without the 
knowledge of the registered holder of the electronic signature.
    The second response is what we are calling the `copy of record', 
also automatically created and made available to the submitter. The 
copy of record must include the complete electronic document that was 
submitted. The copy of record must be complete in the sense that it 
must accurately associate all of the information provided by the 
submitter with the descriptions or labeling of the information being 
requested. In addition, to be complete, the copy of record must include 
all the warnings, instructions and certification statements presented 
to the submitter as a part of the signature/certification scenario. 
Finally, this copy of record must: (1) Be viewable on-screen in a 
human-readable format that makes clear the association between each of 
the information elements provided by the submitter and the descriptions 
or labels in terms of which these elements were requested; (2) include 
the date and time of receipt; and (3) be signed with a secure, 
immutable agency electronic signature that is ``bound'' to this 
electronic document. As the name would suggest, the copy of record must 
be archived by the agency system, made available to the submitter for 
viewing and downloading, and protected from unauthorized access.
    The proposed copy of record requirement is intended to detect 
spurious or compromised submissions, enabling timely disavowal of 
unintended submissions and reducing the frequency and strength of 
claims that an electronic document has been modified in transmission or 
unintentionally submitted. Under the signature/certification scenario 
in today's proposed rule, the copy of record will be--strictly 
speaking--made available to the registered holder of the electronic 
signature. If the signature has somehow been compromised--or if the 
data is somehow different from what was intended to be submitted--this 
copy of record, together with the acknowledgments discussed above, will 
give the signature-holder an opportunity to alert the agency to the 
compromise of his/her signature and/or his/her data. This proposed 
requirement is also intended to protect the agency from attempts to 
falsely repudiate a submission.
    EPA seeks comment on whether the number and type of responses from 
the electronic document receiving system adequately address the issue 
of spurious or compromised submissions. Specifically, we seek comment 
on the requirements placed on the automatic acknowledgments. In 
addition, we are interested in views on whether it will be generally 
feasible for electronic document receiving systems to create copies of 
record with all the attributes we are proposing that they have, and 
whether all of these attributes are necessary for the copy of record to 
fulfill its intended purpose.
    5. Transaction Record. To help settle potential disputes over 
whether certain submissions were made, when they were made, what they 
contained, or who made them, an electronic document receiving system 
must create a transaction record for every submission of an electronic 
document. EPA will require that this record be created automatically, 
and include the precise routing of the signed electronic document from 
the submitter's computer to the receiving system and the copy of record 
described above. In addition, based on the receiving system's clock, 
this transaction record must include the precise date and time of: (1) 
The initial receipt of the reported data; (2) the receipt of the 
submitter's signed certification of the data (where this step is 
subsequent to the initial data transfer); (3) the sending of the 
acknowledgment notice; and (4) the creation of the copy of record. 
These details may be regarded as providing the ``chain of custody'' for 
the submitted report, and help to establish its authenticity. EPA seeks 
comment on whether this transaction record specification is 
sufficiently robust to provide for ``chain of custody''.
    6. System Archives. EPA also proposes to require that electronic 
document receiving systems maintain the contents of the transaction 
record described above--including the copy of record--for as long as 
they may be needed for enforcement or other programmatic purposes. In 
addition we are also proposing that the system must maintain records 
that show, for any given electronic submission not only what 
information was displayed to the user during the submission process--
including the instructions, prompts, data labels, etc. captured in the 
copy of record--but also how this information was displayed, including 
the sequencing, functioning and overall appearance of these interface 
elements. The reason is that it may be difficult to interpret what some 
of the submission's data elements mean if we do not know the context 
within which they were provided--e.g., to what on-screen display or 
query a ``yes'' was responding. Depending on exactly how the signing 
process is implemented, at least some of this interface information may 
be captured within the scope of what is bound by the signature, e.g., 
if the signature is applied to the entire content of the screens that 
are reviewed by the signatory during the signature/certification 
scenario. To whatever extent this occurs, the archiving of the ``copy 
of record'' would contribute to this archiving of the interface.
    The system must maintain the archived records in a way that can be 
shown to have preserved them without any modification since the time 
they were created; the system must be able to make these records 
available to users in a timely way as they are needed. EPA seeks 
comments on these archiving criteria, and especially on whether there 
are any issues raised by the need to maintain the copy of record--which

[[Page 46177]]

includes electronic signatures--over long periods of time. Of 
particular concern are copies of record that include digital 
signatures, as they will for electronic submissions received by the 
Central Data Exchange (CDX). (For an explanation of digital signatures, 
and their role in CDX, see Section V.B.1 of this preamble.) Ideally, 
the system will preserve digital signatures in a form which allows them 
to be validated at any point during the life of the archived records 
that contain them; this is the standard implied by Sec. 3.2000(g)(2)(i) 
that requires the copies of record to be preserved ``in their 
entirety'' for the life of the archive. However, EPA realizes that this 
ideal may be difficult to implement in practice for several reasons, 
including:
     The sensitivity of digital signatures to very minimal (and 
unavoidable) deterioration of the magnetic medium in which the records 
are stored--so that they no longer can be validated, even though the 
records remain usable in every other way;
     The possible software dependence of the validation 
process--so that, as the archives' systems environment evolves over 
long periods of time, it may become increasingly difficult to operate 
the validation software designed to work with the archived signatures; 
and
     The dependence of validation on the accessibility of a 
public key infrastructure (PKI) certificate that was valid when the 
digital signature was created--so that, over time, it may become 
increasingly difficult to determine the keys and identifying 
information associated with the signature.
    EPA seeks comments on these and related difficulties that may stand 
in the way of validating archived digital signatures, and we welcome 
any advice on how these might be overcome. If these difficulties cannot 
be overcome, or overcome only at great expense, then EPA would seek to 
revise Sec. 3.2000(g)(2), by specifying alternatives to maintenance of 
the original signature and its validation as archived that would still 
allow users to demonstrate both the validity of the signature and the 
integrity of the record as a true picture of the data as it was signed. 
A possible approach might involve an archivists' wet-ink-on-paper 
certification that the digital signature was valid at the time the 
record was placed in the archive, together with appropriate measures to 
preserve the record unchanged. On another approach, the archivist might 
digitally resign the document at certain intervals, adding appropriate 
certifications about the validity of the original (or previous) 
signature on the document. EPA also seeks comment on such alternative 
approaches.

E. What Are the Costs and Benefits Associated With Today's Proposal?

    EPA estimates that today's proposal could result in an average 
annual reduction in reporting and record-keeping costs for those 
information collections identified as potentially benefitting from 
offering an electronic reporting option. Based on this analysis, EPA 
estimates that CROMERRR could result in an average annual reduction in 
burden of $52.3 million per year for those facilities reporting, $1.2 
million per year for EPA, and $1.24 million for each of the 30 states 
that were assumed to implement programs over the eight years of the 
analysis. For details of this study, see the technical background 
document, Cross Media Electronic Reporting and Recordkeeping Rule Cost 
Benefit Analysis in the Docket for today's proposal. EPA requests 
comment on whether the underlying assumptions and the methods used in 
the cost benefit analysis provide a realistic estimate of the costs and 
benefits associated with electronic reporting and recordkeeping.
    1. Scope and Method. The purposes of the analysis was to estimate 
the labor hour and total cost effects (either savings or increases) 
attributable to each of the major elements of the CROMERRR proposal and 
to assess, qualitatively, the environmental implications. The major 
elements include: the use of modern electronic technologies for the 
production, completion, signing, transmitting, and recording without 
the use of paper copies. Within the assessment of technologies we chose 
three forms of electronic reporting (web forms, EDI, and XML) that 
EPA's CDX plans to support. For those entities using web forms, the 
costs of reporting to EPA electronically would be negligible, as EPA 
intends to provide the web forms and signature capabilities needed. In 
the latter two approaches (EDI and XML), EPA anticipates additional up-
front cost will be incurred by regulated entities to establish EDI or 
XML file generation capabilities, but the savings will be larger over 
time, as these entities can more fully automate their reporting to EPA.
    In the course of establishing projected estimates of costs and 
savings of electronic reporting and recordkeeping, EPA had to establish 
a baseline of current costs. The current costs of paper-based reporting 
to EPA and States delegated the authority to manage an EPA reporting 
program were based on an extensive assessment of EPA's official 
information collection request (ICR) submissions that would be subject 
to the CROMERRR rule, as well as more detailed cost estimates performed 
on major EPA systems. In performing the analysis, over 50 ICRs were 
extensively reviewed and approximately 70 other ICRs were more 
summarily reviewed. A list of the ICRs, and the approach used to 
analyze them, are contained in Appendix A of EPA's Cross Media 
Electronic Reporting and Recordkeeping Rule Cost Benefit Analysis. In 
the course of analyzing the ICR costs, reporting costs were broken into 
discrete functional areas (such as data entry, mailing, reconciliation, 
archiving and program management) and were analyzed for costs.
    In addition to the ICR analysis, EPA performed analysis of the 
general costs and benefits of electronic reporting experienced by 
commercial and government agencies, as described in the EPA Electronic 
Reporting Benefit/Cost Justification Report (June 30, 1999). EPA also 
conducted in-depth analyses of business processes and associated costs 
for several major EPA programs. These analyses include analyses for 
Toxic Release Inventory (TRI), National Pollutant Discharge Elimination 
System (NPDES), Public Water Supply System (PWSS) and selected Clean 
Air Act reports. In addition, EPA, in conjunction with State partners 
in the Arizona Department of Environmental Quality (ADEQ) and the Texas 
Natural Resources Conservation Commission (TNRCC), conducted 
assessments of the potential impacts and opportunities presented by 
environmental electronic reporting on their EPA-delegated state 
programs and affected regulated entities. These programmatic and state 
analyses are available in the CROMERRR docket. EPA also reviewed 
similar analyses performed for other EPA electronic reporting efforts, 
such as the proposed Hazardous Waste Manifest Automation Rule. EPA 
invites comments on the approach used for conducting the analysis and 
on the list of ICRs analyzed--whether this list encompasses the 
spectrum of EPA requirements impacted by CROMERRR and what additional 
information collections, if any, should be incorporated into further 
analysis.
    Based on the combined review of the functional areas (including 
data entry, mailing, reconciliation, archiving and program management) 
of individual ICRs, EPA identified general trends in the relative 
distribution of costs for each of the categories. Using the analyses 
conducted under the more in-depth studies performed, EPA was able to

[[Page 46178]]

estimate the impacts of electronic reporting on each of the functional 
areas (including data entry, mailing, reconciliation, archiving and 
program management). For instance, by offering facilities the 
electronic submission as an alternative to printing and mailing the 
paper submissions, the percentage of costs attributed to ``mailing'' 
could be eliminated. Using this logic, EPA added the relative 
percentages of reductions in each of these functional areas, and 
determined that a general reduction of 11 percent in the overall cost 
of reporting could be achieved through web-based submissions, and that 
a 25 percent reduction could be achieved for those facilities that 
implement EDI or XML based exchanges.
    EPA is also considering a second series of analyses, using an 
alternative form of calculating the costs and savings to the Agency. In 
performing this alternative analysis EPA would still break the costs 
for a program report into discrete functional areas (i.e., data entry, 
mailing, etc.), however the estimates of reduction would use 
``absolute'' values instead of percentages. As an example, EPA program 
X has identified that the mailing of form B requires 10 minutes per 
submission. The costs for facilities choosing to submit electronically 
would take into account the elimination of mailing, and the costs for 
electronic reporting under that program would be reduced by 10 minutes 
for each submission. The advantage of this approach is that it offers 
potentially greater accuracy for estimating costs for each reporting 
program. A disadvantage is where the functional activity, such as 
program management, is only partially impacted by electronic reporting, 
determining an ``absolute'' value could involve arbitrary judgement 
calls on a program by program basis. EPA requests comment on ways to 
improve an analysis of this type as well as suggestions for other 
approaches that may better identify the potential costs and benefits of 
the proposed electronic reporting and recordkeeping rule.
    As discussed further below, two sets of regulatory cost reduction 
(savings) estimates were projected--one for web based submissions and 
one for EDI/XML--based on a range of alternate assumptions regarding 
the national adoption rates for automation options. In both cases, it 
was assumed that 77 percent of all reports would be prepared, 
transmitted, and recorded electronically at full implementation. The 
implementation rates of facilities, however, will vary depending on the 
degree to which the facility implements electronic reporting for 
environmental requirements directly with EPA or with State regulatory 
agencies managing EPA-delegated/authorized environmental programs. The 
rates are also affected by the method (Web, EDI, or XML) the facility 
chooses to use in reporting to EPA or the delegated State agency. The 
table below describes the implementation rates for facilities under the 
scenarios described. The table also presents the current ``As-Is'' 
rates of paper or diskette exchange and the impacts of electronic 
reporting on these rates over an eight year period.

                                                    Facility Implementation Rates by Reporting Method
                                                                    [In percentages]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                        Reporting method                             FY00       FY01       FY02       FY03       FY04       FY05       FY06       FY07
--------------------------------------------------------------------------------------------------------------------------------------------------------
As-is:
    Delegated...................................................        100        100         95         89         81         73         64         56
    Non-delegated...............................................        100        100         96         66         50         45         36         28
    Mixed delegation............................................        100        100         96         77         66         59         50         42
Web:                                                                      0          0          0          0          0          0          0          0
    Delegated...................................................          0          0          4          8         12         18         24         30
    Non-delegated...............................................          0          0          3         25         32         37         42         48
    Mixed delegation............................................          0          0          3         17         22         27         33         39
EDI:                                                                      0          0          0          0          0          0          0          0
    Delegated...................................................          0          0          1          2          2          3          4          5
    Non-delegated...............................................          0          0          1          4          6          6          7          8
    Mixed delegation............................................          0          0          1          3          4          5          6          6
XML:                                                                      0          0          0          0          0          0          0          0
    Delegated...................................................          0          0          0          2          4          6          8         10
    Non-delegated...............................................          0          0          0          4         12         12         14         16
    Mixed delegation............................................          0          0          0          3          8          9         11         13
--------------------------------------------------------------------------------------------------------------------------------------------------------

Recordkeeping rates are not presented in the table above. However, it 
was also assumed that a very low number of facilities (0.5 percent) of 
the current regulated entities, would elect to acquire new electronic 
recordkeeping systems to implement the CROMERRR recordkeeping option. 
EPA is seeking comments on the implementation rates for reporting and 
recordkeeping as described in this proposed rule.

    For EPA, the average annual cost to implement and operate 
electronic reporting and record-keeping is $25.8 million, and the 
average annual cost savings compared to equivalent paper-based systems 
is $1.2 million. The average annual cost to implement an electronic 
reporting system is $1.1 million for each state, and $1,273 for each 
facility. The net average annual cost savings of electronic reporting 
compared to an equivalent paper-based submission is $1.24 million for 
each state, and $1,140 for each facility. The total average annual 
costs of implementing and reporting electronically for all facilities 
is $3,420 million, which presents a net average annual savings for all 
facilities of $52.3 million over current paper-based reporting. The 
average annual cost to implement a new electronic record keeping system 
is $40,000 for each facility, and the net average annual cost savings 
for operating the electronic record keeping system is $23,080.
    These costs are based on FY 2000 dollars and include a 7.0 % annual 
discount rate. Therefore, our estimates indicate that implementation of 
electronic reporting will result in a net burden reduction for all 
participants, but facilities may not find it cost-effective to develop 
an electronic records system unless it addresses both EPA and non-EPA 
business purposes. The table below summarizes the total cost of the 
current ``as is'' paper system and the future ``to be'' electronic 
reporting and record-keeping costs over the next eight (8) years for 
EPA, States, and regulated entities. In preparing this

[[Page 46179]]

analysis, EPA chose to be conservative in assigning implementation 
rates and used technology costs based on the current year.

                                              Summary As-Is Versus To-Be Costs and Cumulative Savings ($M)
                                                                  [In FY 2000 Dollars]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                      Cost                            FY00         FY01         FY02         FY03         FY04         FY05         FY06         FY07
--------------------------------------------------------------------------------------------------------------------------------------------------------
As-Is costs:
    Facilities..................................      3,863.0      3,883.7      3,775.0      3,669.2      3,566.1      3,444.1      3,369.2      3,274.7
    States......................................         58.7         59.0         57.4         55.8         54.2         52.7         51.2         49.8
    EPA.........................................         25.8         26.9         26.9         27.1         27.2         27.4         27.5         27.6
To-Be costs:
    Facilities..................................      3,863.0       3883.7      3,771.3      3,629.4      3,520.8      3,357.7      3,278.7      3,197.8
    States......................................         58.7         59.0         42.3         40.1         38.4         37.5         36.2         35.0
    EPA.........................................         28.4         30.7         42.3         26.9         21.5         19.6         19.3         18.4
                                                 -------------------------------------------------------------------------------------------------------
        Difference..............................        (2.6)        (3.9)          3.5         55.6         66.8        109.3        113.8        101.0
--------------------------------------------------------------------------------------------------------------------------------------------------------

    It should be stressed that the facility cost and cost-savings 
estimates that these totals represent are averages per facility, and 
these averages cannot be translated into costs/cost-savings per report 
submitted electronically. The cost-related effects of introducing 
electronic reporting for a particular report may depend on 
circumstances that are unique to the data being reported, and these 
specifics are not reflected in the per facility averages. Accordingly, 
while the facility cost and cost-savings estimates are based in part on 
considering the ICRs that are likely to be affected by the proposed 
rule, the resulting cost/cost-savings numbers cannot be used `in 
reverse' to calculate cost and burden reductions associated with 
introducing electronic reporting for any individual ICR.
    In addition, the actual costs and cost-savings for implementing 
facilities will vary widely depending on the electronic submission 
approach. Companies choosing to submit using web forms will have much 
lower initial investment costs, but will receive less savings than 
companies that choose to automate their systems to generate EDI or XML 
file submissions to EPA. In the latter case, EPA assumes that costs 
associated with the implementation of EDI or XML will result from 
companies configuring existing XML or EDI software to EPA prescribed 
formats, and companies will tend not to invest in EDI hardware or 
software for the singular purpose of submitting data to EPA. If the 
electronic commerce industry trends continue, the costs of implementing 
technologies will decline and the number of facilities and states 
implementing electronic reporting will increase, thereby increasing the 
overall net benefits of the rule. EPA is also continuing to research 
electronic record-keeping options that will improve the cost 
effectiveness of electronic record-keeping while meeting federal 
enforcement requirements. EPA is seeking comment from reviewers on 
alternative record keeping approaches and on EPA's assumption that 
facilities choosing to submit data via XML or EDI to EPA will not 
acquire new hardware or software.
    2. Qualitative Implications. In addition to the cost savings 
identified through implementation of this proposal, EPA also has 
identified a number of qualitative benefits through implementation of 
an electronic system. These qualitative benefits of electronic 
reporting include: enhanced quality of data received and entered into 
our systems, faster public access to data submitted to EPA, better 
tracking of compliance submissions by industry and government agencies, 
and opportunities for re-engineering current paper processes. EPA's 
Cross Media Electronic Reporting and Record-keeping Rule Cost Benefit 
Analysis describes the qualitative aspects in more detail.

V. The Central Data Exchange (CDX)

A. What Is EPA's Concept of the CDX?

    EPA's Office of Environmental Information (OEI) is currently 
developing the specifications for a `central data exchange' that will 
serve as EPA's primary gateway for electronic documents received by 
EPA. As noted in section I.B of this preamble, CDX is being designed 
with the goal of fully satisfying the criteria that this proposal 
specifies for assessing State or tribal electronic document receiving 
systems; similarly, EPA will ensure that other systems the 
Administrator designates to receive electronic submissions satisfy the 
criteria as well. With respect to the electronic document submission 
process and criteria addressed by today's proposal, we intend CDX 
functions to include:
     Access management--allowing or denying an entity access to 
CDX;
     Data interchange--accepting and returning data via various 
of file transfer mechanisms;
     Signature/certification management--providing devices and 
required scenarios for individuals to sign and certify what they 
submit;
     Submitter and data authentication--assuring that 
electronic signatures are valid and data is uncorrupted;
     Transaction logging--providing date, time, and source 
information for data received to establish ``chain of custody'';
     Acknowledgment and provision of copy of record--providing 
the submitter with confirmations of the data received;
     Archiving--placing files received and transmission logs 
into secure, long-term storage;
     Error-checking--flagging obvious errors in documents and 
document transactions, including duplicate documents and unauthorized 
submissions;
     Translation and forwarding--converting submitted documents 
into formats that will load to EPA databases, and forwarding them to 
the appropriate systems;
     Outreach--providing education and other customer services 
(such as user manuals, help desk) to CDX users.
    The idea is to eventually provide--to the greatest extent 
possible--one way and one place for the regulated community to exchange 
electronic documents with EPA. States may also choose to use CDX as a 
gateway for electronic data submissions from their regulated community, 
as a cost-effective alternative to building their own system. EPA is 
exploring opportunities to leverage CDX resources for use by 
authorized/approved state programs. CDX may also provide the platform 
for State-EPA data exchanges that

[[Page 46180]]

implement administrative arrangements for data sharing. However, as 
with the provisions of the proposed rule, the features and functions of 
CDX described in this Section will generally be inapplicable to these 
State-EPA exchanges.
    With respect to EPA's electronic transactions with regulated 
entities, our hope is that the uniformity of process and technology 
that CDX provides will help both EPA and regulated entities realize 
economies of scale from their investments in data exchange 
technologies. This is not to say that use of CDX to submit electronic 
documents will necessarily involve substantial investment; it will 
require little more of a submitter than access to a computer with a 
browser and an Internet connection. However, for organizations that 
have invested heavily in the computerized management of their 
environmental data, CDX is also being designed to support substantial 
automation of the data transfer processes. In addition, EPA hopes that 
CDX's centralization of data exchange will eventually provide the 
platform for greater integration or consolidation of environmental 
reporting.

B. What Are the CDX Building Blocks?

    To support its various functions, we are designing CDX to 
incorporate a number of key building blocks, including:
     Digital signatures based on public key infrastructure 
(PKI),
     A process for registering users and managing their access 
to the CDX,
     A characteristic systems architecture,
     Electronic data interchange (EDI) standards, and
     A characteristic environment in which electronic reporting 
transactions will be conducted.
    These building blocks--as explained in detail in the following 
sections--are meant to ensure that CDX can perform the functions of an 
electronic document receiving system under the proposed rule. EPA 
believes that these building blocks, taken together, will satisfy the 
criteria in today's proposal for electronic document receiving systems, 
but seeks comment on this general question.
1. Public Key Infrastructure (PKI)-Based Digital Signatures
    PKI-based digital signatures are the product of two concepts:
     ``Asymmetric'' cryptography, and
     An institutional framework for ``certifying'' the identity 
of a signature-holder, provided by PKI.
    Taking these in order, ``asymmetric'' cryptography is based on a 
mathematical relationship that exists between certain pairs of numbers, 
for example number A and number B, such that
     If A is used to encrypt some message, B and only B can 
decipher it, and
      If B deciphers the message, it can only have been 
encrypted with A.

For purposes of a digital signature, then, A and B are uniquely 
assigned to individual X. (How this works is described below, in 
connection with explaining the ``institutional framework'' provided by 
PKI.) One of the numbers, say A, submitter X shares with no-one. This 
is X's ``private key''. The other, B, is X's ``public key'', and X 
shares B with anyone to whom X wishes to send a message--X may even 
publish B together with information that identifies him/her as X.

    Given his two keys, X then signs an electronic document as follows: 
(1) X uses a standard formula or algorithm to produce a number uniquely 
related to the content of the electronic document. This is referred to 
as the ``message digest'' or ``hash'' of the document. (2) X uses A, 
the private key, to encrypt this hash; this encrypted hash is X's 
digital signature, and it is unique both to X and to the particular 
message it signs. (3) X attaches this digital signature to his/her 
message (which is otherwise not encrypted), and sends it.
    When Y gets X's message, Y validates X's signature by: (1) Deriving 
the hash of the message, using the same standard algorithm that X used; 
(2) deciphering X's digital signature, using X's public key, B; and (3) 
comparing the hash Y derived (in step1) with the deciphered signature. 
The two numbers--the derived hash and the deciphered signature--should 
agree. If (and only if) they do, then Y knows both that the signature 
was produced using A (which belongs to X), and that the message has not 
changed since X signed it.
    Because the digital signature is specific to the particular 
document, and is unique in each case, to say that X is a ``signature-
holder'' in this context is to refer to A and B, the private/public 
key-pair. The A/B key-pair does belong to X and plays the same role in 
each of the many digital signatures X may create through the process 
described above. Accordingly, it is this key-pair--rather than the 
individual signatures they are used to create--that is associated with 
the process of certifying a signature-holder's identity that is 
provided by PKI.
    Turning to this, PKI is a way of reliably establishing and 
maintaining the identity of the individual associated with a given key-
pair used in producing digital signatures. This protocol involves the 
issuance of a ``PKI certificate'' by a ``trusted'' ``certificate 
authority'' (CA). The CA is ``trusted'' in the sense that it operates 
in conformance with an appropriate certificate policy, and has 
demonstrated this conformance through its operations across a wide 
range of electronic commerce applications.
    Issuing a certificate for individual X typically involves the 
following steps: (1) X applies to the CA for a certificate; (2) the CA 
requests various pieces of personal information from X, and/or 
notarized verifications of X's personal information, and/or X to appear 
in person, to provide the CA with the bases for ``proving'' X's 
identity; (3) the CA provides X with a way to generate his unique key 
pair; (4) the CA conducts the ``identity proofing'' process--matching 
what X has provided against information about X in various commercial 
databases, official documents, etc.; (5) when the ``identify proofing'' 
is successfully completed, the CA creates a ``certificate'' for X that 
incorporates his public key, along with various pieces of identifying 
information about X; (6) the CA digitally signs the certificate to 
certify its authenticity, and makes it available to users through 
directory services. Some of these steps--especially the ``identity 
proofing'' process--may vary considerably, depending on requirements 
for security/certainty and the policies and practices of the particular 
CA. In the approach that EPA is currently planning, certificate 
issuance will be incorporated into a broader CDX registration process. 
The discussion of registration in the next section will include some of 
the proposed specifics of ``identity proofing'' and related steps for 
CDX purposes.
    The use of PKI-based digital signatures is itself supported by a 
very robust infrastructure of electronic commerce tools and practices, 
private- and public-sector policies and standards, as well as a very 
large and growing body of theoretical research into the mathematical 
foundations for this approach. Within the federal government, the 
importance of PKI is recognized not only by the ACES initiative 
(discussed below), but also by a standing ``Federal PKI Steering 
Committee'' with the mandate to promote and coordinate the adoption of 
PKI-based digital signatures for a broad range of applications across 
all federal

[[Page 46181]]

agencies. In addition, federal agencies may rely on security and PKI 
technical requirements published in the Federal Information Processing 
Standards (FIPS) developed by the National Institute of Standards and 
Technology, available at http://csrc.nist.gov/fips/.
2. The CDX Registration Process
    Under the system EPA is designing, to submit electronic documents 
to EPA you must first register with CDX, and--at least at the outset--
registration will be by invitation from EPA. Generally, as CDX is 
readied to receive a specified report, EPA will extend registration 
invitations to all individuals who currently submit that report to EPA 
on behalf of their organizations, and are identified as having this 
responsibility in EPA's Facility Registry System (FRS) database. If you 
have this responsibility but do not receive an invitation, you will 
have the opportunity to notify EPA and put yourself on our invitation 
list. However, if you submit the specified report to a State, tribal or 
local agency, you will not receive a CDX invitation, since your 
reporting transaction would be with that agency's electronic document 
receiving system, and not with CDX.
    If you decide to accept an invitation to report electronically, you 
will go through a registration process that involves three steps:
     Invitation and verification,
     Certificate issuance, and
     Access and agreement.
    Taking these in order, EPA will initiate the process by sending you 
a letter, through the United States Postal Service. The letter will 
indicate the opportunity to report electronically, provide a CDX web-
site address and access code, and invite you to start the registration 
process by logging on to the CDX site and verifying your name, address, 
organizational affiliation and area of reporting responsibility as 
posted on that site. This verification session will conclude by 
providing you with the web-site address for the Certificate Authority 
(CA) that will take you through step 2 of the process.
    Of course, you may not have the responsibilities that the CDX site 
indicates. That is, you may not be the individual who signs and submits 
the environmental reports the site specifies on behalf of your company. 
In that case, you will be invited to indicate the individual(s) who 
do(es) have these responsibilities, and that will conclude your own 
interaction with CDX. EPA will then update FRS, and issue new 
invitation letter(s) to the correct individual(s). Assuming you are the 
correct individual, step 1 may in some cases involve EPA asking for a 
letter from a responsible company official, on company letterhead, 
confirming that you have the responsibility to the sign and submit the 
environmental reports in question. Finally, as a part of step 1 you may 
also be prompted to nominate one or two individuals as ``alternate'' 
submitters, to receive their own invitations to register and, via step 
2, to obtain their own PKI certificates. EPA is considering this 
provision for ``alternates'' so that there will always be someone at 
the facility available to sign electronic submissions with their own 
private key, in case you-- as the primary submitter--are unavailable 
during a period when a document is due. EPA seeks comment on the value 
of the confirming letter, and of providing for these ``alternates'', 
and on whether these would impose any unacceptable costs or burdens on 
regulated entities.
    Moving on to step 2, certificate issuance will largely be in the 
hands of the certificate authority (CA). EPA's current plan is to 
secure CA services through the General Service Administration's (GSA) 
Access Certificates for Electronic Services (ACES) program. Under ACES, 
EPA will contract with one of the ACES vendors to issue and manage 
certificates for individuals wishing to submit electronic reports to 
CDX. More information on ACES is available at the ACES website: 
www.gsa.gov/aces.
    Assuming the ACES approach, then, issuance of your certificate will 
consist of a sequence of events similar to the following:
     You log onto the ACES CA's web-site, using the address 
provided at the end of step 1, and the access code provided in the 
initial invitation letter;
     You provide personal and business information that may 
include some of the following items--your name, home address, e-mail 
address, social security number, telephone number, credit card number, 
driver's license information, employer's address, common name of your 
employer, legal company name of your employer, name and telephone 
number of your direct manager, and name and telephone number of a human 
resource contact;
     During this initial ACES CA session, the CA will also 
enable you to generate--on your own computer--a public and private key 
pair, and your public key would automatically be included in your 
certificate request;
     The CA will use your personal and business information to 
conduct the identity-proofing process; this takes approximately three 
days;
     After the CA validates your identity, you will receive a 
letter via the US Postal Service notifying you that your certificate is 
ready; notification will include a PIN for access to the certificate 
retrieval website;
     You may be asked to return to the ACES CA web site to 
confirm the receipt of your certificate and acknowledge that you have 
read and agree to abide by the conditions of your new EPA-sponsored 
certificate;
     You will download the certificate to your browser, the CA 
notifies CDX that you have received your certificate, and CDX initiates 
step 3.
    Under the ACES approach, the personal information you supply for 
purposes of ``identity proofing'' must include at least three items, 
and at least one of these must be something assigned to you based on an 
in-person identity verification process, e.g. a passport number or 
driver's license number. In addition, because your identity as an 
official of a regulated company is central to your relationship with 
EPA, the ``identity proofing'' performed by the CA may also include 
verification of your company's identity, including address, legal name, 
names of directors and officers, and current operating status. EPA 
seeks comment on any aspect of this ``identity proofing'' approach, and 
specifically on the need to have the CA collect the personal and 
business information listed above, as well as any comment on the ACES 
certificate issuance process as a whole.
    It is worth stressing that the items of personal information 
selected for ``identity proofing'' will be submitted to the CA, and not 
to EPA, and this personal information will not be available to or 
maintained by EPA. However, some basic personal information--
specifically, your name, your contact information (email address, 
phone/fax/mobile/pager numbers), your mailing address and your 
organizational role (e.g., consultant, environmental manager, etc.) may 
be submitted to (or verified as correct by) EPA as a part of step 1 of 
the registration process, preceding ACES certificate issuance. Step 1 
may also involve EPA's collecting or verifying some of the business-
related items that can also be associated ACES ``identity proofing''--
specifically, your employer's address, common name of your employer, 
legal company name of your employer, name and telephone number of your 
direct manager--plus, possibly, the following additional items of 
information: facility name and address, EPA program reporting area 
(e.g. Hazardous Waste, NPDES, etc.), EPA program or permit 
identification number, and preferred

[[Page 46182]]

method of electronic reporting (e.g., web form, EDI, etc.). EPA seeks 
comment on the need to collect/verify these items of personal and 
business-related information as a part of step 1 of the registration 
process.
    In step 3, CDX will create a system account for you, including a 
controlled-access mailbox, sending you by regular mail the password and 
user identification code to gain access to your account. When you 
initially use these to access your account, you will be instructed to 
download any client desktop software from CDX that may serve to support 
the digital signing of your electronic submissions. You will conclude 
the registration process by printing out and signing on paper a 
registration agreement included with the downloaded software. The 
agreement will affirm your understanding that, among other things:
     Digital signature/certification has the full legal force 
of a corresponding signature created with wet ink on paper;
     You must protect the access to your CDX mailbox, to your 
client CDX desktop, and to the private key used to create your digital 
signature;
     You must never delegate the use of your private key, or 
provide anyone else access to it in any other way;
     You must immediately notify EPA if you have any reason to 
suspect that your CDX mailbox, CDX-supplied client software, or private 
key has been compromised
    The full agreement would conform closely to the text suggested in 
subsection IV.D.3 of this preamble.
    Upon receiving this agreement, with wet-ink-on-paper signature, CDX 
will recognize you as a fully-registered and authorized user. As 
proposed in today's rule, CDX will require a process for you to renew 
your registration, probably once every two years, although--
corresponding to the discussion in Section IV.D.3 of this preamble--EPA 
seeks comment on less frequent renewals, for example, at intervals of 
3, 4, or 5 years. This will include certifying that you have complied 
with the terms of your initial registration agreement, and, in 
particular, that you have not in any way compromised or delegated 
access to your private key, to your private CDX account, or to your CDX 
client software, and that you have no other evidence that any of these 
items have been compromised. Again, the full text of this agreement 
would conform closely to the text suggested for agreement renewal in 
Section IV.D.3 of this preamble. This certification will probably be 
printed out by your desktop software, require a wet-ink-on-paper 
signature, and be submitted through the United States Postal Service. 
Failure to submit this certification would terminate your access to 
CDX, and could lead EPA to require supplemental certification of 
previous submissions. The EPA is seeking comment on this proposed 
approach to registration renewal, the requirement that the agreement be 
renewed, and the frequency of the renewal. We are also seeking comment 
on whether it could be accomplished via an electronic submission rather 
than on paper.
3. The CDX Architecture
    In designing the CDX architecture, EPA has been guided by three 
goals:
     Flexibility in exchanging data--that is, the ability to 
support a number of different data exchange mechanisms, including batch 
file transfers in various formats, web-based file uploads, as well as 
on-line data entry;
     Uniformity in signing/certifying submissions--that is, 
providing for a uniform way for individuals to sign and certify their 
electronic documents, no matter how the data they contain was 
transferred; and
     Adequate security for all aspects of CDX operation--that 
is, the assurance that authorized users of CDX, including EPA, retain 
control over the CDX operations for which they are responsible.
    The goal of flexibility arises from knowledge that the 
organizations that might want to submit electronic documents to CDX 
apply information technology to environmental management many different 
ways. At the one extreme may be large companies that have 
correspondingly large quantities of data to submit--data that they 
maintain in databases and would prefer transfer in as automated a mode 
as possible. At the other extreme are small businesses that may be 
equipped to enter their data into some sort of user-friendly `smart' 
form--on-line or off-line--but would not otherwise computerize their 
environmental data. And, in the middle, are organizations that may use 
relatively simple database or spreadsheet tools for their environmental 
data, but are not prepared to automate a data transfer process. In 
designing CDX, EPA in trying to accommodate all of these varying levels 
of computerization--providing organizations with modes of data transfer 
that fit their capabilities while allowing them to take advantage of 
whatever level of data capture and automation they have already 
achieved.
    While organizations may differ considerably in how they want and 
are able to transfer data, there needs to be a consistent approach for 
the responsible company official's review and certification--by 
signing--to the truth and accuracy of the data transferred. In all 
cases this will be accomplished by a human interaction with the medium 
in which the data is displayed, and some human action to create the 
signature in that medium. For any case that calls for a signature, CDX 
will always provide the same uniform set of procedures for reviewing 
the data and creating the signature.
    The CDX will also be designed to provide the requisite system 
security. Obviously, the CDX must involve protection for the data that 
CDX receives and maintains from any unwanted intrusion or tampering. It 
must also protect the data as it travels from the submitter to the CDX. 
The system security must also include elements that ensure that the 
signature/certification process is not compromised. For example, CDX 
must provide certificate holders with a way to secure their private key 
and to control access to any messages that confirm or respond to 
submissions, so that they can be assured that no spurious transactions 
with CDX will be conducted using their electronic signature.
    To achieve these goals, EPA is planning to base CDX implementation 
on client-server architecture. This means that CDX will manage the 
transactions with submitters through a computer operated by EPA that 
interacts with computers at the submitter's site. To provide for the 
desired flexibility, the EPA server is being designed to accept data 
via a variety of transfer mechanisms in variety of formats, ranging 
from Internet File Transfer Protocol (FTP) submissions of spread-sheet 
files to standards-based electronic data interchange (EDI) 
transmissions via private value-added network (VAN). These file formats 
and transfer protocols will be discussed below.
    To ensure a uniform signature/certification process, CDX would 
provide the computers from which it accepts electronic documents 
(otherwise known as ``client'' personal computers (PCs)) with copy-
protected and password-protected client software that will support the 
digital signing of your electronic documents. You will be prompted to 
download and install this software once you complete the registration/
certification process, and access your password-protected mailbox on 
the CDX server. (You would also be given a detailed user's guide, which 
will provide step-by-step instructions on download and installation.).
    To operate this CDX client software, and interact with the CDX 
server, your PC system will have to have: Internet

[[Page 46183]]

access; at least a 486 processor (with Pentium recommended); 2 to 5 MB 
of available hard-drive space to install program software; access to a 
printer; and Microsoft Windows 95, 98 or NT 4.0. Given the planned use 
of digital signature certificates, your system will also be required to 
run one of the following Web browsers: Internet Explorer 4.01, Internet 
Explorer 5.0, Netscape 3-4.05, Netscape 4, or subsequent versions of 
these browsers. In addition, you should have backup capability of some 
form (e.g. tape system, off-line disk storage, or access to a separate 
network server.); an effective backup program provides protection 
against system malfunctions and ensures that you can retain a copy of 
your submissions as required by EPA regulations. EPA seeks comment on 
whether these system requirements impose unacceptable costs or burdens 
on regulated entities, and whether additional processors and operating 
systems should be accommodated.
    Concerning protection of the server, CDX will be designed to 
incorporate ``firewall'' security, in addition to the usual system 
security provisions to control physical access to the system and 
prohibit unauthorized internal access. Very generally, a ``firewall'' 
is software that controls the flow of data files between a system and a 
network to which it is connected, to ensure (among other things) that 
only files from recognized and safe sources are allowed to enter. As 
transmissions flow through the CDX firewall, for example, they will be 
automatically virus-scanned, and the system would not attempt to 
process a file that contains a suspected virus. (If a virus is 
detected, the submitter would be notified and asked to resubmit the 
report.) The server will also be protected with intrusion detection 
software that alerts the system operators to suspected attempts to 
penetrate or ``hack'' the system. The system operators will use the 
logging capability of the firewall and the intrusion detection system 
to monitor the health and status of the system and respond to 
unauthorized efforts to use or modify the system. In terms of 
protecting the system clock, CDX will be configured so that changes to 
the clock can only be made under a single user ID and password, and the 
server will be placed in a locked rack so that an unauthorized person 
cannot use a reboot sequence to change the clock settings. In addition, 
the system clock will be synchronized with the atomic clock at least 
once a day to ensure that the system time is extremely accurate.
    Once a submission passes through the firewall, CDX will initiate 
the first of several processes that, among other things, will create a 
robust archive of the original submission, including:
     The submission files in their entirety, exactly as they 
were sent, including any enveloping/addressing/routing/date-time 
information. These will be captured and archived upon receipt by CDX, 
immediately after a successful virus scan; archiving will include a 
digital signing of the files by EPA to ensure file integrity;
     The electronic document as it was signed with its 
submitter digital signature affixed; these will be captured after the 
digital signatures are verified, and will include data generated by the 
verification process;
     The electronic document as it was signed, with the 
verified digital signature affixed, the date and time of receipt and 
EPA's digital signature of the entire content; this will constitute the 
``copy of record''
     The submission acknowledgments sent back to the submitter 
with EPA signatures, including the data and time these are transmitted.
    If, at a later date, there is a question about the file that was 
received, the EPA can use this sequence of archived files to verify 
that no changes have been made to the original input from the 
submitter. Of course, we believe the fact that these archived files are 
digitally signed will make it impossible for any of these files to be 
modified without detection. As noted earlier, a digital signature is a 
function of the ``message digest'' or ``hash'' of the document or file 
it is used to sign. Any modification to the file would change its 
``hash''--which will be different for each variation of the file--and 
this would automatically invalidate the signature. A change in even a 
single character of a file or document would invalidate its digital 
signature, and would trigger an error warning when processed by the CDX 
server.
    In terms of archive storage, the CDX will archive to multiple 
formats: hard disk, tape, and optical media. This use of multiple 
formats is designed to ensure that degradation of one format would not 
jeopardize EPA's long-term storage capability for submitted data. The 
CDX archives will be written out to an online disk system when they are 
first created. They will be copied to an off-line disk system and also 
backed up to magnetic tape every day, with full backups to tape on a 
weekly basis. The schedule for backup to optical media--and the 
requirements for rapidity of retrieval--have not yet been decided, and 
EPA welcomes any suggestions in this area. The optical media archiving 
is intended to provide for long-term storage, extending to periods of 
20-50 years.
    Finally, CDX will also provide security for data exchanges. To 
protect client-server transactions, including the report submission and 
transmission of acknowledgments, CDX will use a protocol that encrypts 
the files being exchanged between a ``client'' PC and the CDX server 
while these files travel through the network. In addition, the private 
key, as already noted, will be password protected; it will also provide 
separate password protection of access to the private key that 
generates the digital signature. To further protect a user's account 
from theft or spurious use by an intruder across a company network, 
current planning calls for the CDX client software to be ``localized'' 
to the particular PC on which it is installed--preventing access to 
this software installed on a particular PC from other PCs connected to 
it via a network. It is worth adding that, when the private key is 
created--in connection with the registration process--this can be done 
in a way that prohibits its export. If this option is invoked, the 
private key can never be moved--whether to a floppy or to another 
computer--so if a signature-holder had to move to another machine, the 
existing public/private key pair assigned to this individual will have 
to be abandoned, and he or she will have to apply for a new 
certificate. While EPA is not currently planning to require this 
option, we are seeking comment both on whether it would involve too 
much burden for users and on whether the option is necessary to protect 
the private key from compromise.
4. Electronic Data Interchange (EDI) Standards
    As discussed in section IIA, above, EPA has, historically, based 
its approach to electronic reporting on EDI standards, specifically 
those developed and maintained under ANSI ASC X12. Today's proposal 
represents a departure from this approach, in that the regulatory 
language itself does not specify any particular data formats or 
transaction set standards. In addition, as already noted, the system 
that EPA is proposing to use in implementing electronic reporting--the 
`Central Data Exchange'--will not specify ANSI X12 standards as the 
only syntax for automated transfers of compliance data. Nonetheless, 
the EDI standards on which we have relied in the past will still serve 
to define many of the data sets that we expect CDX to accept from our 
submitters.
    There are two reasons for this. The first is simply that a 
significant minority

[[Page 46184]]

of very large company submitters conduct their electronic commerce 
using ANSI-based EDI; we want to be able to accommodate these companies 
and allow them to conduct their transactions with CDX using the same 
infrastructure they use in commerce. The second reason, is generally 
that ANSI standards continue to provide a precise, well-documented and 
widely-recognized way of describing the structure of electronic 
transactions--including the elements of data involved and how they are 
related to each other. By providing this clarity, these standards-based 
descriptions facilitate the implementation of an electronic transfer 
even where ANSI X12 is replaced by another format for the data files--
that is, another way of ordering, grouping, labeling and separating the 
elements of data. In addition, many of the commercial off-the-shell 
(COTS) electronic commerce products can translate X12 syntax into other 
formats, such as ``extended mark-up language'' (XML).
    CDX will make EDI available for many, if not all, of the reports 
and other documents it is set up to receive. Beyond issues of 
configuring the CDX server software to recognize and process EDI-
formatted files, implementation of EDI is largely a matter of 
developing the implementation guidance for each of the environmental 
reports to be supported. As noted in Section II.A of this preamble, the 
implementation guidance does three things. First, it addresses such 
procedural matters as: interactions with the communications network 
(which, under current plans, can be a `value-added network' or `VAN', 
but can also be the Internet), schedule for submissions and 
acknowledgments, transaction records to be maintained, and so on. 
Second, it stipulates the specific ANSI X12 standard file transmission 
formats--that is, ``transaction sets''--to be used for the specified 
reports. Third, the guidance specifies how the stipulated transaction 
sets being used are to be interpreted as they are applied to the 
environmental report in question.
    As noted in Section II.A, X12 transaction sets are generic in the 
sense that they typically leave a number of their components as 
`optional', and use data-element specifications that are open to 
multiple interpretations. Therefore the implementation guidance must, 
at the very least, establish the correlation between the generic data 
elements and the specific data elements in the EPA report that would be 
put into this format--in essence, this is to specify which data field 
in the EPA report goes where in the transaction set format. This is 
sometimes described as mapping the generic transaction set to the 
particular set of data elements it will serve to format. The result of 
this ``mapping'' process is often referred to as the ``implementation 
convention'' (IC) of the transaction set for the report or document in 
question. Accordingly, each EPA program-specific implementation 
guidance will include the applicable ICs.
    EPA has written and codified ICs for many of the Agency's major 
compliance reports, and several more are under development. These ICs 
have been (or will be) approved as a `Federal Implementation 
Convention'. This approval process, which involves public notice and 
comment, is managed by the Federal Electronic Data Interchange 
Standards Management Coordinating Committee (FESMCC), under the Federal 
Information Processing Standard Publication (FIPS PUB) 161-2, entitled 
``Electronic Data Interchange.'' All approved Federal IC's are 
registered with the National Institute of Standards and Technology 
(NIST). The NIST registry, now including 863E, is posted at: http://snad.ncsl.nist.gov/fededi/. Whenever EPA intends to upgrade to a new 
version or release of the ANSI X12 standards, or in any other way 
modify the applicable IC, EPA will give notice of its intent in the 
Federal Register and will establish a conversion date. Affected 
regulated entities will then have a minimum of sixty (60) calendar days 
from the conversion date to conform to the modified IC; EPA will 
discontinue support of the previous version of the IC no sooner than 
ninety (90) calendar days after the conversion date.
    The full list of currently approved ICs is:
     863E--Report of Test Results (Discharge Monitoring 
Report): This IC is available in PDF, RTF, ASCII, SEF formats for 
Version 4010 from http://snad.ncsl.nist.gov/dartg/edi/4010-ic.html
     The 863S--Report of Test Results (Safe Drinking Water) IC 
is currently in the FESMCC approval process. When approved, it will be 
available in PDF, RTF, ASCII, SEF formats for Version 4010.
    In addition, ANSI ASC X12 has recently approved a new transaction 
set specifically developed by EPA to support environmental reporting, 
the 179. The 179 consolidates several EPA reports into a single 
transaction set. The 179 can convey a Discharge Monitoring Report, 
Hazardous Waste Report, Toxic Release Inventory report, the Air 
Emission Inventory report, or Risk Management Plan. The 179 was 
published initially in the ANSI ASC Version 4031. The ICs for the 179 
are being developed and will coordinated through the FESMCC process and 
published on the NIST web site after approval.
5. The Transaction Environment
    As explained in earlier sections, CDX would allow submitters to 
transmit data either through automated file transfer, or via on-screen 
``smart forms'' provided as a part of the downloaded ``desktop''. In 
either case, however, the signature/certification ``scenario''--that 
is, the series of steps surrounding the digital signing of the report--
will be the same, consisting of:
     A data review sequence,
     The signature process, and
     An acknowledgment sequence.
    These steps will largely be governed by operation of the CDX 
software, and the interaction of the client PC with the CDX server.
    Taking these in order, data review will take place online, with the 
CDX server providing the transmitted data for submitter review in a 
format that is easily read and understood, possibly with a visual 
layout similar to the applicable paper form (if there is one). The 
server will present the data one screen at a time--downloaded to the 
client browser--and it will not allow the submitter to initiate the 
signing process until the last screen has appeared. The review sequence 
will end when the submitter clicks a button at the bottom of the last 
data screen to initiate signature.
    Once initiated, the signature process will first display the 
certification statement, certifying to the truth of the data to be 
submitted, and also including a warning that by initiating the signing 
process the submitter agrees that he or she is using the signature in 
compliance with the signature agreement that was signed when the 
signature device was issued. The exact content and wording of the first 
of these statements will be consistent with the language suggested for 
this purpose in sub-section IV.D.4 of this preamble. In any event, the 
submitter will be prompted to click agreement with this statement, 
after which the submitter will be prompted to enter his or her password 
launching the digital signature process. The digital signature will be 
created by using the submitter's private key to encrypt a `hash' of all 
the elements of the screens the submitter has reviewed--including 
screen layout, data field labels, data elements, and certification 
statements. Once the signature is created and affixed, the signed 
report will be immediately transmitted to the server.

[[Page 46185]]

    Transmission to the server will initiate the acknowledgment 
sequence. Upon receipt of the transmission, CDX will automatically 
create an acknowledgment that includes the date and time of receipt. 
This acknowledgment will be posted to the submitter's password-
protected mailbox on the server, and/or to a submitter-specified email 
address. In addition, the server will also create a ``copy of record'' 
of the submission, by applying an EPA digital signature to the entire 
file received, including the submitter's digital signature. EPA will 
count this ``copy of record'' as the ``original'' of the submission for 
all legal purposes, and will maintain this electronic document in the 
CDX archive. As currently planned, this ``copy of record'' will be 
placed in the submitter's password-protected mailbox on the server. 
When the submitter next logs into CDX, the first screen he or she sees 
will present the list of copies of record (and acknowledgments, unless 
these are sent by email) that currently await submitter review; the 
submitter will be able to download and archive these documents. Of 
course, the submitter will be encouraged to review these copies of 
record to confirm that they correspond with what he or she intended to 
submit, and to notify EPA immediately in the case of any discrepancy.
    In our design of this three-part scenario (data review, signature 
process, and acknowledgment), our major goals have been to make CDX 
simple, intuitive and easy for submitters to use, while--at the same 
time--ensuring that a submitter knows and understands what he or she is 
certifying, the meaning of affixing a digital signature to the 
electronic document, what has happened, and what EPA considers to be 
the document that was submitted. EPA seeks comment on the 
appropriateness of these goals and whether more or less should be 
designed into CDX to ensure that it meets these goals.

VI. Regulatory Requirements

A. Executive Order 12866

    ``Pursuant to the terms of Executive Order 12866 (58 FR 51735, 
October 4, 1993), it has been determined that this rule is a 
``significant regulatory action'' because it raises novel legal and /or 
policy issues. As such, this action was submitted to OMB for review. 
Changes made in response to OMB suggestions or recommendations will be 
documented in the public record.

B. Executive Order 13132

    Executive Order 13132, entitled ``Federalism'' (64 FR 43255, August 
10, 1999), requires EPA to develop an accountable process to ensure 
``meaningful and timely input by State and local officials in the 
development of regulatory policies that have federalism implications.'' 
``Policies that have federalism implications'' is defined in the 
Executive Order to include regulations that have ``substantial direct 
effects on the States, on the relationship between the national 
government and the States, or on the distribution of power and 
responsibilities among the various levels of government.''
    Under Section 6 of Executive Order 13132, EPA may not issue a 
regulation that has federalism implications, that imposes substantial 
direct compliance costs, and that is not required by statute, unless 
the Federal government provides the funds necessary to pay the direct 
compliance costs incurred by State and local governments, or EPA 
consults with State and local officials early in the process of 
developing the proposed regulation. EPA also may not issue a regulation 
that has federalism implications and that preempts State law, unless 
the Agency consults with State and local officials early in the process 
of developing the proposed regulation.
    This proposed rule does not have federalism implications. It will 
not have substantial direct effects on the States, on the relationship 
between the national government and the States, or on the distribution 
of power and responsibilities among the various levels of government, 
as specified in Executive Order 13132. The proposed rule would not 
require States to accept electronic reports. The effect of this rule 
would be to provide additional regulatory flexibility to States because 
States could choose to accept electronic data in satisfaction of EPA 
reporting requirements. Authorized States that did choose to accept 
electronic reports under this rule would incur expenses initially in 
developing systems or modifying existing systems to meet the criteria 
in this rule. However, the Cost/Benefit analysis associated with this 
proposed rule, summarized in section IV.E of this preamble, estimates 
that States' overall cost savings from implementing electronic 
reporting will more than compensate for these initial expenses. 
Additionally, EPA believes that even in the absence of this proposed 
rule, States' implementing electronic reporting on their own initiative 
would generally choose to meet the criteria that this rule proposes. 
Thus, the requirements of section 6 of the Executive Order do not apply 
to this rule. Although section 6 of Executive Order 13132 does not 
apply to this rule, EPA did consult with State and local officials in 
developing this rule.

C. Paperwork Reduction Act

    The information collection requirements in this proposed rule have 
been submitted for approval to the Office of Management and Budget 
(OMB) under the Paperwork Reduction Act (PRA), 44 U.S.C. 3501 et seq. 
An Information Collection Request (ICR) document has been prepared by 
EPA (ICR No. 2002.02) and a copy may be obtained from Sandy Farmer by 
mail at Collection Strategies Division; U.S. Environmental Protection 
Agency (2822); 1200 Pennsylvania Ave., NW, Washington, DC 20460, by 
email at [email protected], or by calling (202) 260-2740. A 
copy may also be downloaded off the Internet at 
http://www.epa.gov/icr.
    The proposed rule would allow reporting entities to voluntarily 
submit reports and other information electronically, thereby 
streamlining and expediting the process for reporting. It will also 
allow facilities to maintain electronic records for information/data 
currently required by regulation or statute to be maintained by the 
regulated entity onsite. EPA is proposing this rule on cross-media 
electronic reporting and record-keeping, in part, under the authority 
of the Government Paperwork Elimination Act, Public Law 105-277, which 
amends the PRA.
    The CROMERRR ICR primarily covers the registration information 
which will be collected from individuals wishing to submit electronic 
reports on behalf of a regulated entity and will be used to establish 
the identity of that individual and the regulated entity he or she will 
represent. It also covers activities incidental to electronic 
reporting. Submission of reports in an electronic format will be 
voluntary.
    The total annual reporting and record-keeping burden this ICR 
estimates for all facilities is 874,853 hours, which includes the tasks 
of collecting data, managing the system, and keeping records. A more 
detailed description of these activities includes the following: 
registering with EPA or State electronic document receiving systems, 
including invitation, verification, certificate issuance, and access 
and agreement; renewing registration with the electronic document 
receiving system once every two years; activities related to 
maintaining the electronic signature, including renewing the signature

[[Page 46186]]

certificate, reporting loss, theft, or other compromise of any 
component of an electronic signature, and surrender of electronic 
signature; and facility electronic record-keeping, including generating 
and maintaining complete e-records and documents. It is expected that 
tasks associated with system registration will take an average of one 
(1) hour per registrant/entity and the estimated number of likely 
respondents is 324,370. For the first year, there will be start-up and 
annual operation and maintenance (O&M) costs. Costs for the following 
two years will only involve annual O&M, based on the assumption that 
the registration will be valid for three years. Total annual start-up 
costs are estimated at $10,700,000.00 and annual O&M costs are 
estimated at $5,100,123.96.
    Burden means the total time, effort, or financial resources 
expended by persons to generate, maintain, retain, or disclose or 
provide information to or for a Federal agency. This includes the time 
needed to review instructions; develop, acquire, install, and utilize 
technology and systems for the purposes of collecting, validating, and 
verifying information, processing and maintaining information, and 
disclosing and providing information; adjust the existing ways to 
comply with any previously applicable instructions and requirements; 
train personnel to be able to respond to a collection of information; 
search data sources; complete and review the collection of information; 
and transmit or otherwise disclose the information.
    An Agency may not conduct or sponsor, and a person is not required 
to respond to a collection of information unless it displays a 
currently valid OMB control number. The OMB control numbers for EPA's 
regulations are listed in 40 CFR part 9 and 48 CFR chapter 15.
    Comments are requested on the Agency's need for this information, 
the accuracy of the provided burden estimates, and any suggested 
methods for minimizing respondent burden, including through the use of 
automated collection techniques. Send comments on the ICR to the 
Director, Collection Strategies Division; U.S. Environmental Protection 
Agency (2822); 1200 Pennsylvania Ave., NW., Washington, DC 20460; and 
to the Office of Information and Regulatory Affairs, Office of 
Management and Budget, 725 17th St., NW., Washington, DC 20503, marked 
``Attention: Desk Officer for EPA.'' Include the ICR number in any 
correspondence. Since OMB is required to make a decision concerning the 
ICR between 30 and 60 days after August 31, 2001, a comment to OMB is 
best assured of having its full effect if OMB receives it by October 1, 
2001. The final rule will respond to any OMB or public comments on the 
information collection requirements contained in this proposal.

D. Regulatory Flexibility Act

    The Regulatory Flexibility Act (RFA), 5 U.S.C. 601 et seq., 
provides that, whenever an agency promulgates a proposed rule under 
section 553 of the Administrative Procedures Act, after being required 
by that section or any other law to publish a general notice of 
rulemaking, the agency generally must prepare an initial regulatory 
flexibility analysis (IRFA). The agency must prepare a Final Regulatory 
Flexibility Analysis (FRFA) for a final rule unless the head of the 
agency certifies that it will not have a significant economic impact on 
a substantial number of small entities.
    Today's rule is not subject to the RFA because electronic reporting 
and record-keeping is voluntary and will only apply to those States and 
tribes that seek EPA approval to allow electronic reporting and record-
keeping under their authorized programs and to regulated entities that 
seek to maintain records or transmit compliance reports electronically 
to EPA or authorized/approved States or tribes. These changes will 
reduce the burden on all affected entities, including small businesses. 
Accordingly, this rule is certified as having no Significant economic 
impact on a substantial number of small businesses. Respondent burden 
is the burden placed upon each individual reporting entity involved in 
set up, configuration and implementation of electronic submission of 
environmental compliance reports. Regulated entities will find that the 
initial set up process requires some expenditure of time and resources, 
but in the long run, this process will reduce the time spent on 
submissions each year. The Cost/Benefit analysis associated with this 
proposed rule, summarized in section IV.E, estimates that electronic 
reporting and record-keeping, when fully implemented, will reduce 
regulated facility compliance cost by more than $300 million per year. 
The Administrator therefore certifies, pursuant to section 605(b) of 
the RFA, that this rule will not have a significant economic impact on 
a substantial number of small entities.

E. Unfunded Mandates Reform Act

    Title II of the Unfunded Mandates Reform Act of 1995 (UMRA), Public 
Law 104-4, establishes requirements for Federal agencies to assess the 
effects of their regulatory actions on State, local, and tribal 
governments and the private sector. Under section 202 of the UMRA, EPA 
generally must prepare a written statement, including a cost-benefit 
analysis, for proposed and final rules with ``Federal mandates'' that 
may result in expenditures to State, local, and tribal governments, in 
the aggregate, or to the private sector, of $100 million or more in any 
one year. Before promulgating an EPA rule for which a written statement 
is needed, section 205 of the UMRA generally requires EPA to identify 
and consider a reasonable number of regulatory alternatives and adopt 
the least costly, most cost-effective or least burdensome alternative 
that achieves the objectives of the rule. The provisions of section 205 
do not apply when they are inconsistent with applicable law. Moreover, 
section 205 allows EPA to adopt an alternative other than the least 
costly, most cost-effective or least burdensome alternative if the 
Administrator publishes with the final rule an explanation why that 
alternative was not adopted.
    Before EPA establishes any regulatory requirements that may 
significantly or uniquely affect small governments, including tribal 
governments, it must have developed under section 203 of the UMRA a 
small-government agency plan. The plan must provide for notifying 
potentially affected small governments, enabling officials of affected 
small governments to have meaningful and timely input in the 
development of EPA regulatory proposals with significant Federal 
intergovernmental mandates, and informing, educating, and advising 
small governments on compliance with the regulatory requirements.
    The Agency has determined that this rule does not contain a Federal 
mandate that may result in expenditures of $100 million or more for 
State, local and tribal governments, in the aggregate, or the private 
sector in any one year. Today's rule provides additional flexibility to 
the States in complying with current regulatory requirements and 
reduces the burden on affected governments. Thus, today's rule is not 
subject to the requirements in sections 202 and 205 of the UMRA.
    The Agency has determined that this rule contains no regulatory 
requirements that might significantly or uniquely affect small 
governments and thus this rule is not subject to the requirements in 
section 203 of UMRA. This rule will not significantly affect small 
governments because it provides additional flexibility in complying 
with pre-existing regulatory requirements.

[[Page 46187]]

F. National Technology Transfer and Advancement Act

    Section 12(d) of the National Technology Transfer and Advancement 
Act of 1995 (``NTTAA''), Public Law 104-113, section 12(d) (15 U.S.C. 
272 note) directs EPA to use voluntary consensus standards in its 
regulatory activities unless to do so would be inconsistent with 
applicable law or otherwise impractical. Voluntary consensus standards 
are technical standards (e.g., materials specifications, test methods, 
sampling procedures, and business practices) that are developed or 
adopted by voluntary consensus standards bodies. The NTTAA directs EPA 
to provide Congress, through OMB, explanations when the Agency decides 
not to use available and applicable voluntary consensus standards.
    This rulemaking involves information technology standards for 
electronic formats and for electronic signatures. EPA is exploring a 
number of standards-based approaches to Web forms, including electronic 
data exchange formats based upon the American National Standards 
Institute (ANSI) Accredited Standards Committee's (ASC) X12 for 
Electronic Data Interchange or EDI. EPA is also proposing Internet data 
exchange formats based on the Extensible Mark-up Language (XML) 
specifications developed by the World Wide Web Consortium (W3C). The 
World Wide Web Consortium, however, is not a voluntary consensus 
standards body within the meaning of the NTTAA, and EPA could not 
identify an applicable consensus standard for creating and transmitting 
data using XML. Therefore, EPA has decided to propose an XML data 
exchange format, referred to as a document type definition for Internet 
transmissions as an alternative to the ANSI ASC X12 formats that are 
customarily transmitted across Value Added Networks. It is possible 
that the ANSI ASC X12 standards body will develop standards for XML 
document definitions in the future, and EPA will monitor this situation 
as we develop a final rulemaking.

G. Executive Order 13045

    The Executive order, Protection of Children from Environmental 
Health Risks and Safety Risks (62 FR 19885, April 23, 1997) applies to 
any rule that EPA determines (1) ``economically significant'' as 
defined under Executive Order 12866 and (2) concerns an environmental 
health or safety risk that EPA has reason to believe may have a 
disproportionate effect on children. EPA interprets the Executive Order 
13045 as encompassing only those regulatory actions that are risk-based 
or health-based, such that the analysis required under section 5-501 of 
the Executive Order has the potential to influence the regulation.
    This rule is not subject to Executive Order 13045 because it is not 
an economically significant action as defined by Executive Order 12866 
and it does not involve decisions regarding environmental health or 
safety risks. This rule develops technical procedures for the voluntary 
submission of environmental compliance data electronically.

H. Executive Order 13175

    Executive Order 13175, entitled, ``A Consultation and Coordination 
with Indian Tribal Governments'' (65 FR 67249, November 6, 2000), 
requires EPA to develop an accountable process to ensure ``meaningful 
and timely input by tribal officials in the development of regulatory 
policies that have tribal implications.'' ``Policies that have tribal 
implications'' is defined in the Executive Order to include regulations 
that have ``substantial direct effects on one or more Indian tribes, on 
the relationship between the Federal government and the Indian tribes, 
or on the distribution of power and responsibilities between the 
Federal government and Indian tribes.''
    This proposed rule does not have tribal implications. It will not 
have substantial direct effects on tribal governments, on the 
relationship between the Federal government and Indian tribes, or on 
the distribution of power and responsibilities between the Federal 
government and Indian tribes, as specified in Executive Order 13175. 
The proposed rule would not require Indian tribes to accept electronic 
reports. The effect of this rule would be to provide additional 
regulatory flexibility to Indian tribes because tribes could choose to 
accept electronic data in satisfaction of EPA reporting requirements. 
Authorized tribal programs that did choose to accept electronic reports 
under this rule would incur expenses initially in developing systems or 
modifying existing systems to meet the criteria in this rule. However, 
the Cost/Benefit analysis associated with this proposed rule, 
summarized in section IV.E of this preamble, estimates that tribes' 
overall cost savings from implementing electronic reporting will more 
than compensate for these initial expenses. Additionally, EPA believes 
that even in the absence of this proposed rule, Indian tribes' 
implementing electronic reporting on their own initiative would 
generally choose to meet the criteria that this rule proposes. Thus, 
Executive Order 13175 does not apply to this rule. In the spirit of 
Executive Order 13175, and consistent with EPA policy to promote 
communications between EPA and tribal governments, EPA specifically 
solicits additional comment on this proposed rule from tribal 
officials.

I. Executive Order 13211 (Energy Effects)

    This rule is not a ``significant energy action'' as defined in 
Executive Order 13211, ``Actions Concerning Regulations That 
Significantly Affect Energy Supply, Distribution, or Use'' (66 FR 28355 
(May 22, 2001)) because it is not likely to have a significant adverse 
effect on the supply, distribution, or use of energy. EPA has concluded 
that this rule is not likely to have any adverse energy effects.

List of Subjects

40 CFR Part 3

    Electronic Reporting and recordkeeping requirements, Electronic 
reports, Electronic records, Intergovernmental relations.

40 CFR Part 51

    Environmental protection, Administrative practice and procedure, 
Air pollution control, Carbon monoxide, Intergovernmental relations, 
Lead, Nitrogen dioxide, Ozone, Particulate matter, Reporting and 
recordkeeping requirements, Sulfur oxides, Volatile organic compounds, 
Electronic Reporting and recordkeeping requirements, electronic 
reports, electronic records.

40 CFR Part 60

    Environmental protection, Administrative practice and procedure, 
Air pollution control, Intergovernmental relations, Reporting and 
recordkeeping requirements, Electronic Reporting and recordkeeping 
requirements, electronic reports, electronic records.

40 CFR Part 63

    Environmental protection, Air pollution control, Hazardous 
substances, Reporting and recordkeeping requirements, Electronic 
Reporting and recordkeeping requirements, Electronic reports, 
Electronic records, Intergovernmental relations.

40 CFR Part 70

    Environmental protection, Administrative practice and procedure, 
Intergovernmental relations, Electronic Reporting and recordkeeping

[[Page 46188]]

requirements, Electronic reports, Electronic records.

40 CFR Part 123

    Environmental protection, Administrative practice and procedure, 
Confidential business information, Hazardous substances, Indians-lands, 
Intergovernmental relations, Penalties, Reporting and recordkeeping 
requirements, Water pollution control, Electronic Reporting and 
recordkeeping requirements, Electronic reports, Electronic records.

40 CFR Part 142

    Environmental protection, Administrative practice and procedure, 
Chemicals, Indians-lands, Radiation protection, Reporting and 
recordkeeping requirements, Water supply, Electronic Reporting and 
recordkeeping requirements, Electronic reports, Electronic records, 
Intergovernmental relations.

40 CFR Part 145

    Environmental protection, Confidential business information, 
Indians-lands, Intergovernmental relations, Penalties, Reporting and 
recordkeeping requirements, Water supply, Electronic Reporting and 
recordkeeping requirements, Electronic reports, Electronic records.

40 CFR Part 162

    Environmental protection, Administrative practice and procedure, 
Reporting and recordkeeping requirements, Pesticides and pests, State 
registration of pesticide products, Electronic Reporting and record-
keeping requirements, Electronic reports, Electronic records, 
Intergovernmental relations.

40 CFR Part 233

    Environmental protection, Administrative practice and procedure, 
Intergovernmental relations, Penalties, Reporting and recordkeeping 
requirements, Water pollution control, Electronic Reporting and record-
keeping requirements, Electronic reports, Electronic records.

40 CFR Part 257

    Environmental protection, Waste treatment and disposal, Electronic 
Reporting and recordkeeping requirements, Electronic reports, 
Electronic records, Intergovernmental relations.

40 CFR Part 258

    Environmental protection, Reporting and recordkeeping requirements, 
Waste treatment and disposal, Water pollution control, Electronic 
Reporting and recordkeeping requirements, Electronic reports, 
Electronic records, Intergovernmental relations.

40 CFR Part 271

    Environmental protection, Administrative practice and procedure, 
Confidential business information, Hazardous materials transportation, 
Hazardous waste, Indians-lands, Intergovernmental relations, Penalties, 
Reporting and record-keeping requirements, Water pollution control, 
Water supply, Electronic Reporting and recordkeeping requirements, 
Electronic reports, Electronic records.

40 CFR Part 281

    Environmental protection, Administrative practice and procedure, 
Hazardous substances, Insurance, Intergovernmental relations, Oil 
pollution, Reporting and recordkeeping requirements, Surety bonds, 
Water pollution control, Water supply, Electronic Reporting and record-
keeping requirements, Electronic reports, Electronic records.

40 CFR Part 403

    Environmental protection, Confidential business information, 
Reporting and recordkeeping requirements, Waste treatment and disposal, 
Water pollution control, Electronic Reporting and record-keeping 
requirements, Electronic reports, Electronic records, Intergovernmental 
relations.

40 CFR Part 501

    Environmental protection, Administrative practice and procedure, 
Intergovernmental relations, Penalties, Reporting and recordkeeping 
requirements, Sewage disposal, Electronic Reporting and record-keeping 
requirements, Electronic reports, Electronic records.

40 CFR Part 745

    Environmental protection, Hazardous substances, Lead poisoning, 
Reporting and recordkeeping requirements, Electronic Reporting and 
record-keeping requirements, Electronic reports, Electronic records, 
Intergovernmental relations.

40 CFR Part 763

    Environmental protection, Administrative practice and procedure, 
Toxic substances, Asbestos, Hazardous substances, Imports, Reporting 
and recordkeeping requirements, Electronic Reporting and record-keeping 
requirements, Electronic reports, Electronic records, Intergovernmental 
relations.

    Dated: August 23, 2001.
Christine Todd Whitman,
Administrator.
    Therefore, it is proposed that title 40 chapter I of the Code of 
Federal Regulations be amended by adding a new part 3, and revising 
parts 51, 60, 63, 70, 123, 142, 145, 162, 233, 257, 258, 271, 281, 403, 
501, 745, and 763 to read as follows:

PART 3--[NEW] ELECTRONIC REPORTING; ELECTRONIC RECORDS

Subpart A--General Provisions
Sec.
3.1  Scope.
3.2  Implementation.
3.3  Definitions.
3.4  [Reserved]
Subpart B--Electronic Reporting to EPA
3.10  What are the requirements for acceptable electronic documents?
3.20  How will EPA provide notice of changes to the Central Data 
Exchange?
3.30  [Reserved]
Subpart C--Electronic Record-keeping Under EPA Programs
3.100  What are the requirements for acceptable electronic records?
3.200  [Reserved]
Subpart D--Electronic Reporting and Record-keeping Under EPA-Approved 
State Programs
3.1000  How are authorized State, tribal or local environmental 
programs modified to allow electronic reporting?
3.2000  What are the criteria for acceptable electronic document 
receiving systems?
3.3000  How are authorized State, tribal or local environmental 
programs modified to allow electronic record-keeping?
3.4000  [Reserved]

    Authority: 7 U.S.C. 136 to 136y; 15 U.S.C. 2601 to 2692; 33 
U.S.C. 1251 to 1387; 33 U.S.C. 1401 to 1445; 33 U.S.C. 2701 to 2761; 
42 U.S.C. 300f to 300j-26; 42 U.S.C. 6901-6992k; 42 U.S.C. 7401 to 
7671q; 42 U.S.C. 9601 to 9675; 42 U.S.C. 11001 to 11050; 15 U.S.C. 
7001; 44 U.S.C. 3504 to 3506.

Subpart A--General Provisions


Sec. 3.1  Scope.

What Is Covered by This Part?

    (a) This part sets forth the conditions under which EPA will accept 
the submission of electronic reports and other electronic documents, as 
well as the maintenance of electronic records, by regulated entities, 
as satisfying requirements under this Title to submit reports or other 
documents, or to keep records. This part also sets forth the standards 
and process for EPA approval of changes to authorized State, tribal,

[[Page 46189]]

and local environmental programs to allow electronic report or document 
submission or electronic record maintenance in satisfaction of 
requirements under such authorized programs. This part does not require 
submission of electronic reports or documents or electronic 
recordkeeping in lieu of paper. This part confers no right or privilege 
to submit or maintain data electronically and does not obligate EPA, or 
State, tribal or local agencies to accept electronic data.
    (b) Subpart C of this part applies to records in electronic form 
that are created, modified, maintained, archived, retrieved, or 
transmitted by regulated entities under any recordkeeping requirements 
under this Title. However, Subpart C of this part does not provide for 
the conversion of existing paper documents or records into electronic 
form. Subpart C of this part also does not apply to the Agency's 
recordkeeping requirements set forth in regulations governing 
contracts, grants, and financial management programs.


Sec. 3.2  Implementation.

What Requirements May Be Satisfied by Electronic Reporting and 
Electronic Recordkeeping?

    (a) Electronic reporting to EPA. Any requirement in this Title that 
a document be created and transmitted or otherwise provided to EPA may 
be satisfied with an electronic document, in lieu of a paper document, 
provided that:
    (1) The electronic document satisfies the requirements of 
Sec. 3.10; and
    (2) EPA has published a notice in the Federal Register announcing 
that EPA is prepared to receive in electronic form documents required 
or permitted by the named Part or Subpart of this Title.
    (b) Electronic recordkeeping under EPA programs. Except as provided 
under paragraph (d) of this section or excluded under Sec. 3.1(b), any 
requirement in this Title that a record be maintained may be satisfied 
by maintaining an electronic record, in lieu of a paper record provided 
that:
    (1) The electronic record satisfies the requirements of Sec. 3.100; 
and
    (2) EPA has published a notice in the Federal Register announcing 
that EPA is prepared to recognize electronic records under the named 
Part or Subpart of this Title.
    (c) Electronic reporting and recordkeeping under an EPA-authorized 
State, tribal, or local environmental program. Except as provided under 
paragraph (d) of this section, any requirement under authorized State, 
tribal, or local environmental programs that reports or documents be 
submitted or records be maintained may be satisfied with electronic 
report or document submission, or with electronic record maintenance, 
respectively, provided that: EPA has approved, in accordance with 
Subpart D of this part, the changes to the authorized State, tribal, or 
local environmental program to allow the electronic report or document 
submission or the electronic record maintenance in satisfaction of the 
authorized program requirement.
    (d) Limitation on the use of electronic records under EPA programs 
and EPA-authorized State, tribal, or local environmental programs. 
Electronic records that meet the requirements of this Part may be used 
in lieu of paper records unless paper records are specifically required 
by other provisions in this Title that take effect on or after [date of 
promulgation of this regulation].


Sec. 3.3  Definitions.

    What definitions are applicable to this part? The definitions set 
forth in this section apply when used in this part.
    Acknowledgment means a confirmation of document receipt.
    Administrator means the Administrator of the Environmental 
Protection Agency.
    Agency means the Environmental Protection Agency or a State, 
tribal, local or other federal agency that administers a federal 
environmental program under this Title.
    Agency electronic signature means an electronic signature of an 
individual who is authorized to sign an electronic document on an 
agency's behalf.
    Authorized State, Tribal, or local environmental program means an 
environmental program which EPA has approved, authorized, or delegated 
to a State, tribe or local government to administer under a federal 
environmental program.
    Communicate means to successfully and accurately convey a document, 
data, or information from one entity to another.
    Electronic document means a document that is submitted to an agency 
or third-party as an electronic record, and communicated via a 
telecommunications network. For purposes of this part, electronic 
document excludes documents submitted on such magnetic media as 
diskettes, compact disks or tapes; it also excludes facsimiles.
    Electronic document receiving system means any set of apparatus, 
procedures, software, records or documentation used to receive 
documents communicated to it via a telecommunications network.
    Electronic record means any combination of text, graphics, data, 
audio, pictorial, or other information represented in digital form that 
is created, modified, maintained, archived, retrieved or distributed by 
a computer system.
    Electronic record-retention system means any set of apparatus, 
procedures, software, records or documentation used to retain exact 
electronic copies of electronic records and electronic documents.
    Electronic submission mechanism means any set of apparatus, 
procedures, software, records or documentation used to communicate an 
electronic document to an electronic document receiving system.
    Electronic signature means any electronic record that is 
incorporated into (or appended to) an electronic document for the 
purpose of expressing the same meaning and intention that an 
individual's handwritten signature would express if affixed in the same 
relation to the document's content presented on paper.
    Electronic signature device means a code or other mechanism that is 
used to create electronic signatures. Where the device is used to 
create an individual's electronic signature, then the code or mechanism 
must uniquely belong to or be associated with or assigned to that 
individual. Where the device is used to create an organization's 
electronic signature, then the code or mechanism must uniquely belong 
to or be associated with or assigned to that organization.
    EPA means the United States Environmental Protection Agency.
    Handwritten signature means the scripted name or legal mark of an 
individual, handwritten by that individual with a writing or marking 
instrument such as a pen or stylus and executed or adopted with the 
present intention to authenticate a writing in a permanent form. The 
physical instance of the scripted name or mark so created constitutes 
the handwritten signature. The scripted name or legal mark, while 
conventionally applied to paper, may also be applied to other hard 
media.
    Metadata means data that describes the properties of other data or 
collections of data (e.g., a database); with respect to a database or 
file containing data, metadata could include information about the 
database's structure, the date and time that data was created or added 
or changed, definitions of the data elements, descriptions of the 
accuracy of the data, etc.

[[Page 46190]]

    Receive means to successfully acquire electronic documents in a 
format that can be processed by the receiving system.
    Regulated entity means any entity that maintains records or submits 
documents to EPA to satisfy requirements under this Title, or that 
maintains records or submits documents to a State, tribal, or local 
agency to satisfy requirements under programs authorized under this 
Title. A State, tribal, or local agency or tribe may be a regulated 
entity where it maintains records or submits documents to satisfy 
requirements that apply to it under this Title (including regulations 
governing authorized State, tribal, or local programs); a State, 
tribal, or local agency will not be a regulated entity where it 
maintains records or submits documents exclusively for other purposes, 
for example as a part of administrative arrangements between States and 
EPA to share data.
    Submit means to communicate a document so that it is received by 
the intended recipient.
    Third-party system means an electronic document receiving system 
that is owned or operated by an entity that is neither a submitter of 
the electronic documents the system receives nor an agency to which 
these electronic documents are submitted.


Sec. 3.4  [Reserved]

Subpart B--Electronic Reporting to EPA


Sec. 3.10  What are the requirements for acceptable electronic 
documents?

    (a) An electronic document will satisfy a federal environmental 
reporting requirement or otherwise substitute for a paper submission 
permitted or required under this Title only if:
    (1) The electronic document is submitted to an electronic document 
receiving system as provided under paragraph (b) of this section, and
    (2) The electronic document bears valid electronic signatures, as 
provided in paragraphs (c), (d) and (e) of this section, to the same 
extent that the paper submission for which it substitutes would bear 
handwritten signatures.
    (b) Electronic documents submitted to EPA to satisfy a federal 
environmental reporting requirement or otherwise substitute for a paper 
submission permitted or required by a federal environmental program 
must be submitted to either:
    (1) EPA's Central Data Exchange; or
    (2) Another EPA electronic document receiving system that the 
Administrator may designate for the receipt of specified submissions.
    (c) An electronic signature is valid if and only if:
    (1) The electronic signature is created by a person who is 
authorized to sign the document, with an electronic signature device 
that this person is authorized to use; and
    (2) The electronic signature meets the validation requirements of 
the electronic document receiving system to which it is submitted.
    (d) A valid electronic signature on any electronic document 
submitted to satisfy a federal or federally authorized State, tribal or 
local government environmental reporting requirement legally binds or 
obligates the signatory, or makes the signatory responsible, to the 
same extent as the signatory's hand-written signature on a paper 
document submitted to satisfy the same federal or federally authorized 
environmental reporting requirement.
    (e) Proof that an individual's electronic signature was affixed to 
an electronic document is evidence, and may suffice to establish, that 
the individual who was issued that signature affixed the signature and 
did so with the intent to sign the electronic document to give it 
effect.


Sec. 3.20  How will EPA provide notice of changes to the Central Data 
Exchange?

    (a) Except as provided under paragraph (b) of this section, 
whenever EPA plans to change Central Data Exchange hardware or software 
in ways that would affect the submission process:
    (1) Where the equipment, software or services needed to submit 
electronic reports to the Central Data Exchange would be changed, EPA 
will provide public notice and seek comment on the proposed change at 
least a year in advance of the proposed implementation data;
    (2) Otherwise, EPA will provide public notice at least sixty (60) 
days in advance of implementation.
    (b) Any change which the Administrator determines is needed to 
ensure the security and integrity of the Central Data Exchange is 
exempt from the provisions of paragraph (a) of this section. However, 
to the extent consistent with ensuring the security and integrity of 
the system, EPA will provide public notice of any change to the Central 
Data Exchange made under the authority expressly reserved by this 
subsection.


Sec. 3.30  [Reserved]

Subpart C--Electronic Recordkeeping under EPA Programs


Sec. 3.100  What are the requirements for acceptable electronic 
records?

    (a) An electronic record or electronic document will satisfy a 
recordkeeping requirement of an EPA-administered federal environmental 
program under this Title only if it is generated and maintained by an 
acceptable electronic record-retention system as specified under this 
subsection. For purposes of maintaining electronic records that satisfy 
recordkeeping requirements under this Title, an acceptable electronic 
record-retention system must:
    (1) Generate and maintain accurate and complete electronic records 
and electronic documents in a form that may not be altered without 
detection;
    (2) Maintain all electronic records and electronic documents 
without alteration for the entirety of the required period of record 
retention;
    (3) Produce accurate and complete copies of any electronic record 
or electronic document and render these copies readily available, in 
both human readable and electronic form, for on-site inspection and 
off-site review, for the entirety of the required period of record 
retention;
    (4) Provide that any electronic record or electronic document 
bearing an electronic signature contain the name of the signatory, the 
date and time of signature, and any information that explains the 
meaning of the affixed signature;
    (5) Prevent an electronic signature that has been affixed to an 
electronic record or electronic document from being detached, copied, 
or otherwise compromised;
    (6) Use secure, computer-generated, time-stamped audit trails that 
automatically record the date and time of operator entries and actions 
that create, modify, or delete electronic records or documents;
    (7) Ensure that record changes do not obscure previously recorded 
information and that audit trail documentation is retained for a period 
at least as long as that required for the subject electronic records or 
electronic documents to be available for agency review;
    (8) Ensure that electronic records and electronic documents are 
searchable and retrievable for reference and secondary uses, including 
inspections, audits, legal proceedings, third party disclosures, as 
required by applicable regulations, for the entirety of the required 
period of record retention;

[[Page 46191]]

    (9) Archive electronic records and documents in an electronic form 
which preserves the context, meta data, and audit trail, and, if 
required, must ensure that:
    (i) Complete records can be transferred to a new system;
    (ii) Related meta data can be transferred to a new system;
    (iii) Functionality necessary for use of records can be reproduced 
in new system; and
    (b) Computer systems (including hardware and software), controls, 
and attendant documentation maintained under this Part must be readily 
available for, and subject to, agency inspection.
    (c) Where electronic records bear electronic signatures that meet 
the requirements in paragraphs (a)(4) and (a)(5) of this section, EPA 
will consider the electronic signatures to be equivalent to full 
handwritten signatures, initials, and other general signings as 
required by federal or federally authorized State, tribal or local 
government environmental regulations, unless specifically excepted by 
regulations(s) effective on or after [date of promulgation of this 
regulation].


Sec. 3.200  [Reserved]

Subpart D--Electronic Reporting and Recordkeeping Under EPA-
Approved State Programs


Sec. 3.1000  How are authorized State, tribal or local environmental 
programs modified to allow electronic reporting?

    (a) State, tribes, or local environmental programs that wish to 
receive electronic reports or documents in satisfaction of requirements 
under such programs must revise or modify the EPA-approved State, 
tribal, or local environmental program to ensure that it meets the 
requirements of this part. The State, tribe, or local government must 
use existing State, tribal, or local environmental program procedures 
in making these program revisions or modifications.
    (b) In order for EPA to approve a program revision under paragraph 
(a) of this section the State, tribe, or local government must 
demonstrate that electronic reporting under this program will:
    (1) Use an acceptable electronic document receiving system as 
specified under Sec. 3.2000;
    (2) Require that any electronic report or document must bear valid 
electronic signatures, as provided in Sec. 3.10(c), (d) and (e), to the 
same extent that the paper submission for which it substitutes would 
bear handwritten signatures under the State, tribal, or local 
environmental program.


Sec. 3.2000  What are the criteria for acceptable electronic document 
receiving systems?

    An electronic document receiving system that is acceptable for 
purposes of receiving electronic reports or documents submitted under 
provisions of an authorized State, tribal or local environmental 
program must meet all of the following requirements:
    (a) General system-security. An acceptable electronic document 
receiving system must:
    (1) Have strong and effective protections against unauthorized 
access to the system;
    (2) Have strong and effective protections against the unauthorized 
use of any electronic signature on electronic documents submitted or 
received;
    (3) Provide for the detection of unauthorized access or attempted 
access to the system and unauthorized use or attempted use of any 
electronic signature on electronic documents submitted or received;
    (4) Prevent the modification of an electronic document once an 
electronic signature has been affixed;
    (5) Ensure that the electronic documents and other files necessary 
to meet the requirements under paragraphs (f) and (g) of this section 
are protected from modification or deletion;
    (6) Ensure that the system clock is accurate and protected from 
tampering or other compromise; and
    (7) Have strong and effective protections against any other 
foreseeable corruption or compromise of the system.
    (b) Validity of data. An acceptable electronic document receiving 
system must generate data sufficient to prove, in private litigation, 
civil enforcement proceedings, and criminal proceedings, that:
    (1) The electronic document was not altered in transmission or at 
any time after receipt; and
    (2) The electronic document was submitted knowingly and not by 
accident; and
    (3) In the case of documents requiring the signature of an 
individual, that the document was actually submitted by the authorized 
signature holder and not some other person.
    (c) Electronic signature method. By virtue of its presence as a 
part of an electronic document submitted or received, an electronic 
signature must uniquely identify the particular individual who has used 
it to sign an electronic document or otherwise certify to the truth or 
accuracy of the document contents; therefore, an acceptable electronic 
document receiving system must only validate electronic signatures 
created with a method that:
    (1) Meets the registration requirements of paragraph (d) of this 
section;
    (2) Meets the signature/certification requirements of paragraph (e) 
of this section;
    (3) Prevents an electronic signature from being excised, modified, 
or copied for re-use without detection once it has been affixed to an 
electronic document by the authorized individual;
    (4) Provides protection against the use of a specific electronic 
signature by unauthorized individuals;
    (5) Ensures that it is impossible to modify an electronic document 
without detection once the electronic signature has been affixed.
    (d) Submitter registration process. An acceptable electronic 
document receiving system must require that anyone who submits an 
electronic document to the system first register with the agency to 
which the document is to be submitted. The registration process must 
establish the identities of both the registrant, who is the prospective 
submitter, and any entity that the registrant is authorized to 
represent, and must establish that the registrant is authorized to 
submit the document in question for the entity being represented. In 
addition, where the documents to be received will require signature, 
the registration process must:
    (1) Establish the registrant's identity, and the registrant's 
relation to any entity for which the registrant will submit electronic 
documents, with evidence that can be verified by information sources 
that are independent of the registrant and the entity or entities in 
question and that would be sufficient to identify the registrant as the 
signature holder for purposes of supporting litigation consistent with 
paragraph (b) of this section;
    (2) Establish and document a unique correlation between the 
registrant and the code or device that will constitute or create the 
electronic signature of the registrant as a submitter;
    (3) Require that the registrant sign on paper, or in such other 
manner or medium as the Administrator in his or her discretion may 
determine as appropriate for a category of electronic reports, an 
electronic signature agreement specifying at a minimum that the 
registrant agrees to:
    (i) Protect the electronic signature from unauthorized use, and 
follow any procedures specified by the agency for this purpose;
    (ii) Be held as legally bound, obligated, or responsible by use of 
the assigned electronic signature as by hand-written signature;

[[Page 46192]]

    (iii) Where the signature method is based on a secret code or key, 
maintain the confidentiality of each component of the electronic 
signature;
    (iv) In any case, never to delegate the use of the electronic 
signature, or in any other way intentionally provide access to its use, 
to any other individual for any reason; and
    (v) Report to the entity specified in the electronic signature 
agreement, within twenty-four hours of discovery, any evidence of the 
loss, theft, or other compromise of any component of an electronic 
signature;
    (4) Provide for the automatic and immediate revocation of an 
electronic signature in the event of:
    (i) Any actual or apparent violation of the electronic signature 
agreement;
    (ii) Any evidence that the signature has been compromised, whether 
or not this is reported by the registrant to whom the signature was 
issued; or
    (iii) Notification from an entity that the registrant is no longer 
authorized by the entity to submit electronic documents on its behalf;
    (5) Require that the registrant periodically renew his or her 
electronic signature agreement, under terms that the Administrator 
determines provide adequate assurance that the criteria of paragraphs 
(a) and (b) of this section are met, taking into account both 
applicable contractual provisions and industry standards for renewal or 
re-issuance of signature codes or devices.
    (e) Electronic signature/certification scenario. An acceptable 
electronic document receiving system that may be used to accept 
electronic documents bearing an electronic signature must:
    (1) Not allow an electronic signature to be affixed to the 
electronic document until:
    (i) The signatory has been provided an opportunity to review all of 
the data to be transmitted in an on-screen visual format that clearly 
associates the descriptions or labeling of the information being 
requested with the signatory's response and which format is identical 
or nearly identical to the visual format in which a corresponding paper 
document would be submitted; and
    (ii) A certification statement that is identical to that which 
would be required for a paper submission of the document appears on-
screen in an easily-read format immediately above a prompt to affix the 
certifying signature, together with a prominently displayed warning 
that by affixing the signature the signatory is agreeing that he or she 
is the authorized signature holder--referred to by name--has protected 
the security of the signature as required by the electronic signature 
agreement signed under paragraph (d)(3) of this section and is 
otherwise using the signature in compliance with the electronic 
signature agreement;
    (2) Automatically respond to the receipt of an electronic document 
with transmission of an electronic acknowledgment that:
    (i) States that the signed electronic document has been received, 
clearly identifies the electronic document received, indicates how the 
signatory may view and download a copy of the electronic document 
received from a read-only source, and states the date and time of 
receipt; and
    (ii) Is sent to an address whose access is controlled by password, 
codes or other mechanisms that are different than the controls used to 
gain access to the system used to sign/certify and send the electronic 
document;
    (3) Automatically creates an electronic ``copy of record'' of the 
submitted report that includes all the warnings, instructions and 
certification statements presented to the signatory during the 
signature/certification scenario as described under paragraph (e)(1) of 
this section, and that:
    (i) Can be viewed by the signatory, in its entirety, on-screen in a 
human-readable format that clearly and accurately associates all of the 
information provided by the signatory with the descriptions or labeling 
of the information that was requested;
    (ii) Includes the date and time of receipt stated in the electronic 
acknowledgment required by paragraph (e)(2) of this section;
    (iii) Has an agency electronic signature affixed that satisfies the 
requirements for electronic signature method under paragraphs (c)(3), 
(c)(4), and (c)(5) of this section;
    (iv) Is archived by the system in compliance with requirements 
paragraph (g) of this section;
    (v) Is made available to the submitter for viewing and down-
loading; and
    (vi) Is protected from a unauthorized access.
    (f) Transaction Record. An acceptable electronic document receiving 
system must create a transaction record for each received electronic 
document that includes:
    (1) The precise routing of the electronic report from the 
submitter's computer to the electronic document receiving system;
    (2) The precise date and time (based on the system clock) of:
    (i) Initial receipt of the electronic document;
    (ii) Sending of electronic acknowledgment under paragraph (e)(2) of 
this section;
    (iii) Copy of record created under paragraph (e)(3) of this 
section;
    (3) Copy of record as specified under paragraph (e)(3) of this 
section.
    (g) System archives. An acceptable electronic document receiving 
system must:
    (1) Maintain:
    (i) The transaction records specified under paragraph (f) of this 
section, and
    (ii) Records of the system on-screen interface displayed to a user 
under paragraph (e) of this section that can be correlated to the 
submission of any particular report (including instructions, prompts, 
warnings, data formats and labels, as well as the sequencing and 
functioning of these elements);
    (2) Maintain the records specified under paragraph (g)(1) of this 
section for at least the same length of time as would be required for a 
paper document that corresponds to the received electronic document, 
and in a way that:
    (i) Can be demonstrated to have preserved them in their entirety 
without alteration since the time of their creation; and
    (ii) Provides access to these records in a timely manner that meets 
the needs of their authorized users.


Sec. 3.3000  How are authorized State, tribal or local environmental 
programs modified to allow electronic recordkeeping?

    (a) State, tribes, or local environmental programs that wish to 
allow the maintenance of electronic records or documents in 
satisfaction of requirements under such programs must revise or modify 
the EPA-approved State, tribal, or local environmental program to 
ensure that it meets the requirements of this part. The State, tribe, 
or local government must use existing State, tribal or local 
environmental program procedures in making these program revisions or 
modifications.
    (b) In order for EPA to approve a program revision under paragraph 
(a) of this section the State, tribe, or local government must 
demonstrate that records maintained electronically under this program 
will satisfy the requirements under Sec. 3.100 of this part.


Sec. 3.4000  [Reserved]

PART 51--REQUIREMENTS FOR PREPARATION, ADOPTION, AND SUBMITTAL OF 
IMPLEMENTATION PLANS

    1. The authority citation for part 51 continues to read as follows:


[[Page 46193]]


    Authority: 23 U.S.C. 101; 42 U.S.C. 7401-7671q.

    2. Section 51.286 is added to Subpart O of this part to read as 
follows:


Sec. 51.286  Electronic reporting.

    States that wish to receive electronic documents or allow 
electronic recordkeeping must revise the State Implementation Plan to 
satisfy the requirements of 40 CFR part 3--(Electronic reporting).

PART 60--STANDARDS OF PERFORMANCE FOR NEW STATIONARY SOURCES

    1. The authority citation for part 60 continues to read as follows:

    Authority: 42 U.S.C. 7401-7601.

    2. Section 60.7 is amended by revising introductory text in 
paragraph (a) to read as follows:


Sec. 60.7  Notification and recordkeeping.

    (a) Any owner or operator subject to the provisions of this part 
shall furnish the Administrator written notification or, if acceptable 
to both the Administrator and the owner or operator of a source, 
electronic notification consistent with the requirements of 40 CFR part 
3--(Electronic reporting), as follows:
* * * * *

PART 63--NATIONAL EMISSION STANDARDS FOR HAZARDOUS AIR POLLUTANTS 
FOR SOURCE CATEGORIES

    1. The authority citation for part 63 continues to read as follows:

    Authority: 42 U.S.C. 7401 et seq.

    2. Section 63.6 is amended by adding a new paragraph (k) to read as 
follows:


Sec. 63.6  Compliance with standards and maintenance requirements.

* * * * *
    (k) Electronic documents and recordkeeping. Submission of 
electronic documents and retention of electronic records shall comply 
with the requirements of 40 CFR part 3--(Electronic reporting).

PART 70--STATE OPERATING PERMIT PROGRAMS

    1. The authority citation for part 70 continues to read as follows:

    Authority: 42 U.S.C. 7401, et seq.

    2. Section 70.1 is amended by adding a new paragraph (f) to read as 
follows:


Sec. 70.1  Program overview.

* * * * *
    (f) States that choose to receive electronic documents or allow 
electronic recordkeeping must satisfy the requirements of 40 CFR part 
3--(Electronic reporting) in their program.

PART 123--STATE PROGRAM REQUIREMENTS

    1. The authority citation for part 123 continues to read as 
follows:

    Authority: Clean Water Act, 33 U.S.C. 1251 et seq.

    2. Section 123.25 is amended by revising paragraphs (a)(44) and 
(a)(45), and adding a new paragraph (a)(46) to read as follows:


Sec. 123.25  Requirements for permitting.

    (a) * * *
    (44) Section 122.35 (As an operator of a regulated small MS4, may I 
share the responsibility to implement the minimum control measures with 
other entities?);
    (45) Section 122.36 (As an operator of a regulated small MS4, what 
happens if I don't comply with the application or permit requirements 
in Secs. 122.33 through 122.35?); and
    (46) For States that wish to receive electronic documents or allow 
electronic recordkeeping, 40 CFR part 3--(Electronic reporting).
* * * * *

PART 142--NATIONAL PRIMARY DRINKING WATER REGULATIONS 
IMPLEMENTATION

    1. The authority citation for part 142 continues to read as 
follows:

    Authority: 42 U.S.C. 300f, 300g-1, 300g-2, 300g-3, 300g-4, 300g-
5, 300g-6, 300j-4, 300j-9, and 300j-11.

    2. Section 142.10 is amended by adding paragraph (h) to read as 
follows:


Sec. 142.10  Requirements for a determination of primary enforcement 
responsibility.

* * * * *
    (h) Has adopted regulations consistent with 40 CFR part 3--
(Electronic reporting) if the State receives electronic documents or 
allows electronic record-keeping.

PART 145--REQUIREMENTS FOR STATE PROGRAMS

    1. The authority citation for part 145 continues to read as 
follows:

    Authority: 42 U.S.C. 300f et. seq.

    2. Section 145.11 is amended by revising paragraphs (a)(30), 
(a)(31), (a)(32), and adding paragraph (a)(33) to read as follows:


Sec. 145.11  Requirements for permitting.

    (a) * * *
    (30) Section 124.12(a)--(Public hearings);
    (31) Section 124.17(a) and (c)--(Response to comments);
    (32) Section 144.88--(What are the additional requirements?); and
    (33) For States that wish to receive electronic documents or allow 
electronic recordkeeping, 40 CFR part 3--(Electronic reporting).
* * * * *

PART 162--STATE REGISTRATION OF PESTICIDE PRODUCTS

    1. The authority citation for part 162 continues to read as 
follows:

    Authority: U.S.C. 136v, 136w.

    2. Section 162.153 is amended by adding a new paragraph (a)(6) to 
read as follows:
    (a) * * *
    (6) Electronic reporting and Recordkeeping under State Registration 
of Pesticide Products. States that choose to receive electronic 
documents or allow electronic records under the regulations pertaining 
to State registration of pesticides to meet special local needs, must 
ensure that the requirements of 40 CFR part 3--(Electronic reporting) 
are satisfied by their State registration program.
* * * * *

PART 233--404 STATE PROGRAM REGULATIONS

    1. The authority citation for part 233 continues to read as 
follows:

    Authority: 33 U.S.C. 1251 et seq.

    2. A new Sec. 233.39 is added to Subpart D of this part to read as 
follows:


Sec. 233.39  Electronic Reporting and Recordkeeping.

    States that choose to receive electronic documents or allow 
electronic recordkeeping must include the requirements of 40 CFR part 
3--(Electronic reporting) in their State program.

PART 257--CRITERIA FOR CLASSIFICATION OF SOLID WASTE DISPOSAL 
FACILITIES AND PRACTICES

    1. The authority citation for part 257 continues to read as 
follows:

    Authority: 42 U.S.C. 6907(a)(3), 6912(a)(1), 6944(a) and 
6949(c), 33 U.S.C. 1345(d) and (e).

    2. Section 257.30 is amended by adding a new paragraph (d) to read 
as follows:


Sec. 257.30  Recordkeeping requirements.

* * * * *

[[Page 46194]]

    (d) The Director of an approved State program may receive 
electronic documents or allow electronic recordkeeping only if the 
State program includes the requirements of 40 CFR part 3--(Electronic 
reporting).

PART 258--CRITERIA FOR MUNICIPAL SOLID WASTE LANDFILLS

    1. The authority citation for part 258 continues to read as 
follows:

    Authority: 33 U.S.C. 1345 (d) and (e); 42 U.S.C. 6902(a), 6907, 
6912(a), 6944, 6945(c) and 6949a(c).

    2. Section 258.29 is amended by adding a new paragraph (d) to read 
as follows:


Sec. 258.29  Recordkeeping requirements.

* * * * *
    (d) The Director of an approved State program may receive 
electronic documents or allow electronic recordkeeping only if the 
State program includes the requirements of 40 CFR part 3--(Electronic 
reporting).

PART 271--REQUIREMENTS FOR AUTHORIZATION OF STATE HAZARDOUS WASTE 
PROGRAMS

    1. The authority citation for part 271 continues to read as 
follows:

    Authority: 42 U.S.C. 6905, 6912 and 6926.

    2. Section 271.10 is amended by revising paragraph (d) to read as 
follows:


Sec. 271.10  Requirements for generators of hazardous waste.

* * * * *
    (b) The State shall have authority to require and shall require all 
generators to comply with reporting and recordkeeping requirements 
equivalent to those under 40 CFR 262.40 and 262.41. States must require 
that generators keep these records at least 3 years. States that choose 
to receive electronic documents or allow electronic recordkeeping must 
include the requirements of 40 CFR part 3--(Electronic reporting) in 
their Program (except that States that choose to receive electronic 
manifests and/or permit the use of electronic manifests must comply 
with paragraph (f) of this section).
* * * * *
    2. Section 271.12 is amended by revising paragraph (h) to read as 
follows:


Sec. 271.12  Requirements for hazardous waste management facilities.

* * * * *
    (h) Inspections, monitoring, recordkeeping, and reporting. States 
that choose to receive electronic documents or allow electronic 
recordkeeping must include the requirements of 40 CFR part 3--
(Electronic reporting) in their Program (except that States that choose 
to receive electronic manifests and/or permit the use of electronic 
manifests must comply with paragraph (i) of this section);
* * * * *

PART 281--APPROVAL OF STATE UNDERGROUND STORAGE TANK PROGRAMS

    1. The authority citation for part 281 continues to read as 
follows:

    Authority: 42 U.S.C. 6912, 6991 (c), (d), (e), (g).

    (2) Section 281.40 is amended by revising paragraph (d) to read as 
follows:


Sec. 281.40  Requirements for compliance monitoring program and 
authority.

* * * * *
    (d) State programs must have procedures for receipt, evaluation, 
retention and investigation of records and reports required of owners 
or operators and must provide for enforcement of failure to submit 
these records and reports. States that choose to receive electronic 
documents or allow electronic recordkeeping must include the 
requirements of 40 CFR part 3--(Electronic reporting) in their State 
program.
* * * * *

PART 403--GENERAL PRETREATMENT REGULATIONS FOR EXISTING AND NEW 
SOURCES OF POLLUTION

    1. The authority citation for part 403 continues to read as 
follows:

    Authority: 33 U.S.C. 1251 et seq.

    2. Section 403.8 is amended by adding a new paragraph (g) to read 
as follows:


Sec. 403.8  Pretreatment Program Requirements: Development and 
Implementation by POTW.

* * * * *
    (g) A POTW pretreatment program may receive electronic documents or 
allow electronic recordkeeping only if the POTW pretreatment program 
includes the requirements of 40 CFR part 3--(Electronic reporting).
    2. Section 403.12 is amended by adding a new paragraph (q) to read 
as follows:


Sec. 403.12.40  Reporting requirements for POTW's and industrial users.

* * * * *
    (q) The Control Authority may receive electronic documents or allow 
electronic recordkeeping only in compliance with the requirements of 40 
CFR part 3--(Electronic reporting).

PART 501--STATE SLUDGE MANAGEMENT PROGRAM REGULATIONS

    1. The authority citation for part 501 continues to read as 
follows:

    Authority: 33 U.S.C. 1251 et seq.

    2. Section 501.15 is amended by adding a new paragraph (a)(4) to 
read as follows:


Sec. 501.15  Requirements for permitting.

    (a) * * *
    (4) Information requirements: All treatment works treating domestic 
sewage shall submit to the Director within the time frames established 
in paragraph (d)(1)(ii) of this section the information listed in (i)-
(xii) of this paragraph. The Director of an approved State program may 
receive electronic documents or allow electronic recordkeeping only if 
the State program includes the requirements of 40 CFR part 3--
(Electronic reporting).
* * * * *

PART 745--LEAD-BASED PAINT POISONING PREVENTION IN CERTAIN 
RESIDENTIAL STRUCTURES

    1. The authority citation for part 745 continues to read as 
follows:

    Authority: 15 U.S.C. 2605, 2607, 2681-2692 and 42 U.S.C. 4852d.

    2. Section 745.327 is amended by adding a new paragraph (f) to read 
as follows:


Sec. 745.327  State or Indian Tribal lead-based paint compliance and 
enforcement programs.

* * * * *
    (f) Electronic reporting and Record-keeping under State or Indian 
Tribal programs. States and Tribes that choose to receive electronic 
documents or allow electronic records under the authorized State or 
Indian Trial lead-based paint program, must ensure that the 
requirements of 40 CFR part 3--(Electronic reporting) are satisfied in 
their lead-based paint program.

PART 763--ABSESTOS

    1. The authority citation for part 763 continues to read as 
follows:

    Authority: 15 U.S.C. 2605, 2607(c), 2643, and 2646.

    2. Section 763.98 is amended by revising paragraphs (a)(1), (b)(3), 
and (d)(3) to read as follows:

[[Page 46195]]

Sec. 763.98  Waiver; delegation to State.

    (a) General. (1) Upon request from a State Governor and after 
notice and comment and an opportunity for a public hearing in 
accordance with paragraphs (b) and (c) of this section, EPA may waive 
some or all of the requirements of this subpart E if the State has 
established and is implementing or intends to implement a program of 
asbestos inspection and management that contains requirements that are 
at least as stringent as the requirements of this subpart. In addition, 
if the State chooses to receive electronic documents or allow 
electronic recordkeeping, the State program must include, at a minimum, 
the requirements of 40 CFR part 3--(Electronic reporting).
* * * * *
    (b) * * *
    (3) Detailed reasons, supporting papers, and the rationale for 
concluding that the State's asbestos inspection and management program 
provisions for which the request is made are at least as stringent as 
the requirements of Subpart E of this part, and that, if the State 
chooses to receive electronic documents or allow electronic 
Recordkeeping, the State program includes, at a minimum, the 
requirements of 40 CFR part 3--(Electronic reporting).
* * * * *
    (d) * * *
    (3) The State has an enforcement mechanism to allow it to implement 
the program described in the waiver request and any electronic 
reporting and recordkeeping requirements are at least as stringent as 
40 CFR part 3--(Electronic reporting).
* * * * *
    3. In part 763, paragraph I, of appendix C to subpart E of this 
part is amended to add a new subparagraph (I) to read as follows:

Appendix C to Subpart E--Asbestos Model Accreditation Plan

I. Asbestos Model Accreditation Plan for States
* * * * *
(I) Electronic Reporting and Recordkeeping
    States that choose to receive electronic documents or allow 
electronic recordkeeping must include, at a minimum, the requirements 
of 40 CFR part 3--(Electronic reporting) in their programs.

[FR Doc. 01-21810 Filed 8-30-01; 8:45 am]
BILLING CODE 6560-50-M